0
0
Fork 0
mirror of https://github.com/verdigado/organization_folders.git synced 2024-11-21 20:28:11 +01:00

finalized ACL management

This commit is contained in:
Jonathan Treffler 2024-11-06 19:58:57 +01:00
parent fdb4b8fc76
commit 22c06b5689
3 changed files with 125 additions and 46 deletions

View file

@ -4,6 +4,8 @@ declare(strict_types=1);
namespace OCA\OrganizationFolders\Service; namespace OCA\OrganizationFolders\Service;
use Psr\Container\ContainerInterface;
use OCP\AppFramework\Db\TTransactional; use OCP\AppFramework\Db\TTransactional;
use OCP\IDBConnection; use OCP\IDBConnection;
@ -31,7 +33,7 @@ class OrganizationFolderService {
protected PathManager $pathManager, protected PathManager $pathManager,
protected GroupfolderManager $groupfolderManager, protected GroupfolderManager $groupfolderManager,
protected ACLManager $aclManager, protected ACLManager $aclManager,
protected ResourceService $resourceService, protected ContainerInterface $container,
) { ) {
} }
@ -96,6 +98,8 @@ class OrganizationFolderService {
organizationId: $organizationId, organizationId: $organizationId,
); );
$this->applyPermissions($groupfolderId);
return $organizationFolder; return $organizationFolder;
}, $this->db); }, $this->db);
} }
@ -107,7 +111,7 @@ class OrganizationFolderService {
?string $organizationProviderId = null, ?string $organizationProviderId = null,
?int $organizationId = null ?int $organizationId = null
): OrganizationFolder { ): OrganizationFolder {
return $this->atomic(function () use ($id, $name, $quota, $organizationProviderId, $organizationId) { $this->atomic(function () use ($id, $name, $quota, $organizationProviderId, $organizationId) {
if(isset($name)) { if(isset($name)) {
$this->folderManager->renameFolder($id, $name); $this->folderManager->renameFolder($id, $name);
} }
@ -136,9 +140,11 @@ class OrganizationFolderService {
$this->tagService->update($id, "organization_provider", $organizationProviderId); $this->tagService->update($id, "organization_provider", $organizationProviderId);
$this->tagService->update($id, "organization_id", (string)$organization->getId()); $this->tagService->update($id, "organization_id", (string)$organization->getId());
} }
return $this->find($id);
}, $this->db); }, $this->db);
$this->applyPermissions($id);
return $this->find($id);
} }
public function applyPermissions(int $id) { public function applyPermissions(int $id) {
@ -149,7 +155,9 @@ class OrganizationFolderService {
$this->setGroupsAsGroupfolderMembers($organizationFolder->getId(), $memberGroups); $this->setGroupsAsGroupfolderMembers($organizationFolder->getId(), $memberGroups);
$this->setRootFolderACLs($organizationFolder, $memberGroups); $this->setRootFolderACLs($organizationFolder, $memberGroups);
return $this->resourceService->setAllFolderResourceAclsInOrganizationFolder($organizationFolder, $memberGroups); /** @var ResourceService */
$resourceService = $this->container->get(ResourceService::class);
return $resourceService->setAllFolderResourceAclsInOrganizationFolder($organizationFolder, $memberGroups);
} }
protected function getMemberGroups(OrganizationFolder $organizationFolder) { protected function getMemberGroups(OrganizationFolder $organizationFolder) {

View file

@ -17,7 +17,9 @@ use OCA\OrganizationFolders\Enum\MemberType;
class ResourceMemberService { class ResourceMemberService {
public function __construct( public function __construct(
private ResourceMemberMapper $mapper protected ResourceMemberMapper $mapper,
protected ResourceService $resourceService,
protected OrganizationFolderService $organizationFolderService,
) { ) {
} }
@ -48,8 +50,11 @@ class ResourceMemberService {
MemberType $type, MemberType $type,
string $principal string $principal
): ResourceMember { ): ResourceMember {
$resource = $this->resourceService->find($resourceId);
$member = new ResourceMember(); $member = new ResourceMember();
$member->setResourceId($resourceId);
$member->setResourceId($resource->getId());
$member->setPermissionLevel($permissionLevel->value); $member->setPermissionLevel($permissionLevel->value);
$member->setType($type->value); $member->setType($type->value);
@ -58,7 +63,11 @@ class ResourceMemberService {
$member->setCreatedTimestamp(time()); $member->setCreatedTimestamp(time());
$member->setLastUpdatedTimestamp(time()); $member->setLastUpdatedTimestamp(time());
return $this->mapper->insert($member); $member = $this->mapper->insert($member);
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
return $member;
} }
public function update(int $id, ?MemberPermissionLevel $permissionLevel = null, ?MemberType $type = null, ?string $principal = null): ResourceMember { public function update(int $id, ?MemberPermissionLevel $permissionLevel = null, ?MemberType $type = null, ?string $principal = null): ResourceMember {
@ -81,7 +90,12 @@ class ResourceMemberService {
$member->setLastUpdatedTimestamp(time()); $member->setLastUpdatedTimestamp(time());
} }
return $this->mapper->update($member); $member = $this->mapper->update($member);
$resource = $this->resourceService->find($member->getResourceId());
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
return $member;
} catch (Exception $e) { } catch (Exception $e) {
$this->handleException($e); $this->handleException($e);
} }
@ -90,7 +104,12 @@ class ResourceMemberService {
public function delete(int $id): ResourceMember { public function delete(int $id): ResourceMember {
try { try {
$member = $this->mapper->find($id); $member = $this->mapper->find($id);
$this->mapper->delete($member); $this->mapper->delete($member);
$resource = $this->resourceService->find($member->getResourceId());
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
return $member; return $member;
} catch (Exception $e) { } catch (Exception $e) {
$this->handleException($e); $this->handleException($e);

View file

@ -4,6 +4,8 @@ namespace OCA\OrganizationFolders\Service;
use Exception; use Exception;
use Psr\Container\ContainerInterface;
use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Db\MultipleObjectsReturnedException; use OCP\AppFramework\Db\MultipleObjectsReturnedException;
@ -29,8 +31,9 @@ class ResourceService {
protected PathManager $pathManager, protected PathManager $pathManager,
protected ACLManager $aclManager, protected ACLManager $aclManager,
protected UserMappingManager $userMappingManager, protected UserMappingManager $userMappingManager,
protected ResourceMemberService $resourceMemberService,
protected OrganizationProviderManager $organizationProviderManager, protected OrganizationProviderManager $organizationProviderManager,
protected OrganizationFolderService $organizationFolderService,
protected ContainerInterface $container,
) { ) {
} }
@ -120,6 +123,8 @@ class ResourceService {
$resource = $this->mapper->insert($resource); $resource = $this->mapper->insert($resource);
$this->organizationFolderService->applyPermissions($organizationFolderId);
return $resource; return $resource;
} else { } else {
throw new ResourceNameNotUnique(); throw new ResourceNameNotUnique();
@ -187,14 +192,27 @@ class ResourceService {
$resource->setLastUpdatedTimestamp(time()); $resource->setLastUpdatedTimestamp(time());
} }
return $this->mapper->update($resource); $resource = $this->mapper->update($resource);
$this->organizationFolderService->applyPermissions($resource->getOrganizationFolderId());
return $resource;
// TODO: improve error handing: if db update fails roll back changes in the filesystem // TODO: improve error handing: if db update fails roll back changes in the filesystem
} }
public function setAllFolderResourceAclsInOrganizationFolder(OrganizationFolder $organizationFolder, array $inheritingGroups) { public function setAllFolderResourceAclsInOrganizationFolder(OrganizationFolder $organizationFolder, array $inheritingGroups) {
$topLevelFolderResources = $this->findAll($organizationFolder->getId(), null, ["type" => "folder"]); $topLevelFolderResources = $this->findAll($organizationFolder->getId(), null, ["type" => "folder"]);
return $this->recursivelySetFolderResourceALCs($topLevelFolderResources, "", $inheritingGroups); $inheritingPrincipals = [];
foreach($inheritingGroups as $inheritingGroup) {
$inheritingPrincipals[] = [
"type" => "group",
"groupId" => $inheritingGroup,
];
}
return $this->recursivelySetFolderResourceALCs($topLevelFolderResources, "", $inheritingPrincipals);
} }
/** /**
@ -207,23 +225,41 @@ class ResourceService {
* @param array $inheritingGroups * @param array $inheritingGroups
* @psalm-param string[] $inheritingGroups * @psalm-param string[] $inheritingGroups
*/ */
public function recursivelySetFolderResourceALCs(array $folderResources, string $path, array $inheritingGroups) { public function recursivelySetFolderResourceALCs(array $folderResources, string $path, array $inheritingPrincipals) {
foreach($folderResources as $folderResource) { foreach($folderResources as $folderResource) {
$resourceFileId = $folderResource->getFileId(); $resourceFileId = $folderResource->getFileId();
$acls = []; $acls = [];
// inherit ACLs // inherit ACLs
foreach($inheritingGroups as $inheritingGroup) { foreach($inheritingPrincipals as $inheritingPrincipal) {
$acls[] = new Rule( if($inheritingPrincipal["type"] === "group") {
userMapping: $this->userMappingManager->mappingFromId("group", $inheritingGroup), $acls[] = new Rule(
fileId: $resourceFileId, userMapping: $this->userMappingManager->mappingFromId("group", $inheritingPrincipal["groupId"]),
mask: 31, fileId: $resourceFileId,
permissions: $folderResource->getInheritedAclPermission(), mask: 31,
); permissions: $folderResource->getInheritedAclPermission(),
);
} else if($inheritingPrincipal["type"] === "user") {
$acls[] = new Rule(
userMapping: $this->userMappingManager->mappingFromId("user", $inheritingPrincipal["userId"]),
fileId: $resourceFileId,
mask: 31,
permissions: $folderResource->getInheritedAclPermission(),
);
}
}
// inherited principals will affect resources further down, if they have any permissions at this level
if($folderResource->getInheritedAclPermission() !== 0) {
$nextInheritingPrincipals = $inheritingPrincipals;
} else {
$nextInheritingPrincipals = [];
} }
// member ACLs // member ACLs
$resourceMembers = $this->resourceMemberService->findAll($folderResource->getId()); /** @var ResourceService */
$resourceMemberService = $this->container->get(ResourceMemberService::class);
$resourceMembers = $resourceMemberService->findAll($folderResource->getId());
foreach($resourceMembers as $resourceMember) { foreach($resourceMembers as $resourceMember) {
if($resourceMember->getPermissionLevel() === MemberPermissionLevel::MANAGER->value) { if($resourceMember->getPermissionLevel() === MemberPermissionLevel::MANAGER->value) {
$resourceMemberPermissions = $folderResource->getManagersAclPermission(); $resourceMemberPermissions = $folderResource->getManagersAclPermission();
@ -233,36 +269,52 @@ class ResourceService {
throw new Exception("invalid resource member permission level"); throw new Exception("invalid resource member permission level");
} }
if($resourceMember->getType() === MemberType::USER->value) { if($resourceMemberPermissions !== 0) {
$mapping = $this->userMappingManager->mappingFromId("user", $resourceMember->getPrincipal()); if($resourceMember->getType() === MemberType::USER->value) {
} else if($resourceMember->getType() === MemberType::GROUP->value) { $mapping = $this->userMappingManager->mappingFromId("user", $resourceMember->getPrincipal());
$mapping = $this->userMappingManager->mappingFromId("group", $resourceMember->getPrincipal()); $nextInheritingPrincipals[] = [
} else if($resourceMember->getType() === MemberType::ROLE->value) { "type" => "user",
['organizationProviderId' => $organizationProviderId, 'roleId' => $roleId] = $resourceMember->getParsedPrincipal(); "userId" => $resourceMember->getPrincipal(),
];
} else if($resourceMember->getType() === MemberType::GROUP->value) {
$mapping = $this->userMappingManager->mappingFromId("group", $resourceMember->getPrincipal());
$nextInheritingPrincipals[] = [
"type" => "group",
"groupId" => $resourceMember->getPrincipal(),
];
} else if($resourceMember->getType() === MemberType::ROLE->value) {
['organizationProviderId' => $organizationProviderId, 'roleId' => $roleId] = $resourceMember->getParsedPrincipal();
$organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId); $organizationProvider = $this->organizationProviderManager->getOrganizationProvider($organizationProviderId);
$role = $organizationProvider->getRole($roleId); $role = $organizationProvider->getRole($roleId);
$mapping = $this->userMappingManager->mappingFromId("group", $role->getMembersGroup()); $mapping = $this->userMappingManager->mappingFromId("group", $role->getMembersGroup());
} else { $nextInheritingPrincipals[] = [
throw new Exception("invalid resource member type"); "type" => "group",
"groupId" => $role->getMembersGroup(),
];
} else {
throw new Exception("invalid resource member type");
}
if(is_null($mapping)) {
// TODO: skip member instead of crashing
throw new Exception(message: "invalid mapping, likely non-existing group");
}
$acls[] = new Rule(
userMapping: $mapping,
fileId: $resourceFileId,
mask: 31,
permissions: $resourceMemberPermissions,
);
} }
if(is_null($mapping)) {
// TODO: skip member instead of crashing
throw new Exception(message: "invalid mapping, likely non-existing group");
}
$acls[] = new Rule(
userMapping: $mapping,
fileId: $resourceFileId,
mask: 31,
permissions: $resourceMemberPermissions,
);
} }
$this->aclManager->overwriteACLsForFileId($resourceFileId, $acls); $this->aclManager->overwriteACLsForFileId($resourceFileId, $acls);
// TODO: recurse sub-resources // recurse sub-resources
$subFolderResources = $this->getSubResources($folderResource, ["type" => "folder"]);
$this->recursivelySetFolderResourceALCs($subFolderResources, $path . $folderResource->getName() . "/", $nextInheritingPrincipals);
} }
} }
@ -287,8 +339,8 @@ class ResourceService {
/** /**
* get all direct sub-resources * get all direct sub-resources
*/ */
public function getSubResources(Resource $resource) { public function getSubResources(Resource $resource, array $filters = []) {
return $this->findAll($resource->getOrganizationFolderId(), $resource->getId()); return $this->findAll($resource->getOrganizationFolderId(), $resource->getId(), $filters);
} }
/** /**