diff --git a/changelog/unreleased/fix-ocm.md b/changelog/unreleased/fix-ocm.md new file mode 100644 index 00000000000..ae91ed7a81b --- /dev/null +++ b/changelog/unreleased/fix-ocm.md @@ -0,0 +1,8 @@ +Bugfix: Fix the OCM + +Fixed the OCM WebDAV protocol entity mismatch +Fixed OCM invintation restrictions to always allow providers +Fixed the OCM user id decoding + +https://github.com/owncloud/ocis/pull/11743 +https://github.com/owncloud/reva/pull/426 \ No newline at end of file diff --git a/go.mod b/go.mod index a9d1ba9acf5..81d687e6f95 100644 --- a/go.mod +++ b/go.mod @@ -354,4 +354,4 @@ replace go-micro.dev/v4 => github.com/kobergj/go-micro/v4 v4.0.0-20250117084952- // see https://github.com/mattn/go-sqlite3/issues/965 for more details exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible -replace github.com/cs3org/reva/v2 => github.com/owncloud/reva/v2 v2.0.0-20250724132414-1d9f38a30619 +replace github.com/cs3org/reva/v2 => github.com/owncloud/reva/v2 v2.0.0-20251017130940-3bedbdbd7ead diff --git a/go.sum b/go.sum index 1386eee7216..0aa450d9208 100644 --- a/go.sum +++ b/go.sum @@ -881,8 +881,8 @@ github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CF github.com/ovh/go-ovh v1.1.0/go.mod h1:AxitLZ5HBRPyUd+Zl60Ajaag+rNTdVXWIkzfrVuTXWA= github.com/owncloud/libre-graph-api-go v1.0.5-0.20250217093259-fa3804be6c27 h1:ID8s5lGBntmrlI6TbDAjTzRyHucn3bVM2wlW+HBplv4= github.com/owncloud/libre-graph-api-go v1.0.5-0.20250217093259-fa3804be6c27/go.mod h1:+gT+x62AS9u2Farh9wE2uYmgdvTg0MQgsSI62D+xoRg= -github.com/owncloud/reva/v2 v2.0.0-20250724132414-1d9f38a30619 h1:CB8hisJolJSTk+Inu6kJ8NWzU7nr6a7xtFvNnybTC/g= -github.com/owncloud/reva/v2 v2.0.0-20250724132414-1d9f38a30619/go.mod h1:1H26PMXoa1rDrIoZ7lGOerq1Bg07/5srYfRaKfxBSsc= +github.com/owncloud/reva/v2 v2.0.0-20251017130940-3bedbdbd7ead h1:FGSOfHj41r34fBYHiRGIxUNxOUnrNCP2oMlLQhet1Io= +github.com/owncloud/reva/v2 v2.0.0-20251017130940-3bedbdbd7ead/go.mod h1:1H26PMXoa1rDrIoZ7lGOerq1Bg07/5srYfRaKfxBSsc= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= github.com/pablodz/inotifywaitgo v0.0.7 h1:1ii49dGBnRn0t1Sz7RGZS6/NberPEDQprwKHN49Bv6U= diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/ocmshareprovider/ocmshareprovider.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/ocmshareprovider/ocmshareprovider.go index ba1fdaaca38..3b2b89fa624 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/ocmshareprovider/ocmshareprovider.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/ocmshareprovider/ocmshareprovider.go @@ -187,7 +187,7 @@ func (s *service) getWebdavProtocol(ctx context.Context, share *ocm.Share, m *oc return &ocmd.WebDAV{ Permissions: perms, - URL: s.webdavURL(ctx, share), + URI: s.webdavURL(ctx, share), SharedSecret: share.Token, } } diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/protocols.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/protocols.go index 00e2d51f117..c8e10834be6 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/protocols.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/protocols.go @@ -47,7 +47,37 @@ type Protocol interface { type WebDAV struct { SharedSecret string `json:"sharedSecret" validate:"required"` Permissions []string `json:"permissions" validate:"required,dive,required,oneof=read write share"` - URL string `json:"url" validate:"required"` + URI string `json:"uri" validate:"required"` +} + +// UnmarshalJSON implements custom JSON unmarshaling for backward compatibility. +// It supports both "url" (legacy) and "uri" (new) field names. +func (w *WebDAV) UnmarshalJSON(data []byte) error { + // Define a temporary struct with both url and uri fields + type WebDAVAlias struct { + SharedSecret string `json:"sharedSecret"` + Permissions []string `json:"permissions"` + URL string `json:"url"` + URI string `json:"uri"` + } + + var alias WebDAVAlias + if err := json.Unmarshal(data, &alias); err != nil { + return err + } + + // Copy common fields + w.SharedSecret = alias.SharedSecret + w.Permissions = alias.Permissions + + // Use URI if present, otherwise fall back to URL for backward compatibility + if alias.URI != "" { + w.URI = alias.URI + } else { + w.URI = alias.URL + } + + return nil } // ToOCMProtocol convert the protocol to a ocm Protocol struct. @@ -73,7 +103,7 @@ func (w *WebDAV) ToOCMProtocol() *ocm.Protocol { } } - return ocmshare.NewWebDAVProtocol(w.URL, w.SharedSecret, perms) + return ocmshare.NewWebDAVProtocol(w.URI, w.SharedSecret, perms) } // Webapp contains the parameters for the Webapp protocol. diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/shares.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/shares.go index cb7de98ae60..fdd916f2f26 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/shares.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/ocmd/shares.go @@ -19,6 +19,7 @@ package ocmd import ( + "encoding/base64" "encoding/json" "errors" "fmt" @@ -213,6 +214,10 @@ func getIDAndMeshProvider(user string) (string, string, error) { if len(split) < 2 { return "", "", errors.New("not in the form @") } + candidate := split[0] + if b, err := base64.StdEncoding.DecodeString(candidate); err == nil { + split = strings.Split(string(b), "@") + } return strings.Join(split[:len(split)-1], "@"), split[len(split)-1], nil } diff --git a/vendor/github.com/cs3org/reva/v2/pkg/ocm/provider/authorizer/json/json.go b/vendor/github.com/cs3org/reva/v2/pkg/ocm/provider/authorizer/json/json.go index 152140fdba4..5a8bf296a9b 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/ocm/provider/authorizer/json/json.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/ocm/provider/authorizer/json/json.go @@ -173,10 +173,12 @@ func (a *authorizer) IsProviderAllowed(ctx context.Context, pi *ocmprovider.Prov } switch { - case !providerAuthorized: - return errtypes.NotFound(pi.GetDomain()) case !a.conf.VerifyRequestHostname: + log.Info().Msg("VerifyRequestHostname is disabled. any provider is allowed") return nil + case !providerAuthorized: + log.Info().Msg("providerAuthorized is false") + return errtypes.NotFound(pi.GetDomain()) case len(pi.Services) == 0: return ErrNoIP } diff --git a/vendor/github.com/cs3org/reva/v2/pkg/ocm/user/user.go b/vendor/github.com/cs3org/reva/v2/pkg/ocm/user/user.go index 9be8add2b4d..955280373b1 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/ocm/user/user.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/ocm/user/user.go @@ -12,7 +12,7 @@ import ( // 1. stripping the protocol from the domain and // 2. base64 encoding the opaque id with the domain to get a unique identifier that cannot collide with other users func FederatedID(id *userpb.UserId, domain string) *userpb.UserId { - opaqueId := base64.URLEncoding.EncodeToString([]byte(id.OpaqueId + "@" + id.Idp)) + opaqueId := base64.StdEncoding.EncodeToString([]byte(id.OpaqueId + "@" + id.Idp)) return &userpb.UserId{ Type: userpb.UserType_USER_TYPE_FEDERATED, Idp: domain, @@ -29,7 +29,7 @@ func RemoteID(id *userpb.UserId) *userpb.UserId { Idp: id.Idp, OpaqueId: id.OpaqueId, } - bytes, err := base64.URLEncoding.DecodeString(id.GetOpaqueId()) + bytes, err := base64.StdEncoding.DecodeString(id.GetOpaqueId()) if err != nil { return remoteId } diff --git a/vendor/modules.txt b/vendor/modules.txt index bc5895a4145..dcac588759f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -371,7 +371,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.27.7 => github.com/owncloud/reva/v2 v2.0.0-20250724132414-1d9f38a30619 +# github.com/cs3org/reva/v2 v2.27.7 => github.com/owncloud/reva/v2 v2.0.0-20251017130940-3bedbdbd7ead ## explicit; go 1.22.7 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime @@ -2408,4 +2408,4 @@ stash.kopano.io/kgol/rndm # github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c # github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20240807130109-f62bb67e8c90 # go-micro.dev/v4 => github.com/kobergj/go-micro/v4 v4.0.0-20250117084952-d07d30666b7c -# github.com/cs3org/reva/v2 => github.com/owncloud/reva/v2 v2.0.0-20250724132414-1d9f38a30619 +# github.com/cs3org/reva/v2 => github.com/owncloud/reva/v2 v2.0.0-20251017130940-3bedbdbd7ead