eosgrpc and HTTP - Small fixes for ACLs and client certs (#2252)

changelog/unreleased/sysacl-from-xattr.md

@@ -0,0 +1,3 @@
+Enhancement: Add the xattr sys.acl to SysACL (eosgrpc)
+
+https://github.com/cs3org/reva/pull/2252

pkg/eosclient/eosgrpc/eosgrpc.go

@@ -48,6 +48,8 @@ import (
 
 const (
 	versionPrefix = ".sys.v#."
+	// lwShareAttrKey = "reva.lwshare"
+	userACLEvalKey = "eval.useracl"
 )
 
 const (
@@ -485,10 +487,37 @@ func (c *Client) GetFileInfoByInode(ctx context.Context, auth eosclient.Authoriz
 	}
 
 	log.Debug().Str("func", "GetFileInfoByInode").Uint64("inode", inode).Msg("")
-	return c.mergeParentACLsForFiles(ctx, auth, info), nil
+	return c.fixupACLs(ctx, auth, info), nil
 }
 
-func (c *Client) mergeParentACLsForFiles(ctx context.Context, auth eosclient.Authorization, info *eosclient.FileInfo) *eosclient.FileInfo {
+func (c *Client) fixupACLs(ctx context.Context, auth eosclient.Authorization, info *eosclient.FileInfo) *eosclient.FileInfo {
+
+	// Append the ACLs that are described by the xattr sys.acl entry
+	a, err := acl.Parse(info.Attrs["sys.acl"], acl.ShortTextForm)
+	if err == nil {
+		if info.SysACL != nil {
+			info.SysACL.Entries = append(info.SysACL.Entries, a.Entries...)
+		} else {
+			info.SysACL = a
+		}
+	}
+
+	// Read user ACLs if sys.eval.useracl is set
+	if userACLEval, ok := info.Attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" {
+		if userACL, ok := info.Attrs["user.acl"]; ok {
+			userAcls, err := acl.Parse(userACL, acl.ShortTextForm)
+			if err != nil {
+				return nil
+			}
+			for _, e := range userAcls.Entries {
+				err = info.SysACL.SetEntry(e.Type, e.Qualifier, e.Permissions)
+				if err != nil {
+					return nil
+				}
+			}
+		}
+	}
+
 	// We need to inherit the ACLs for the parent directory as these are not available for files
 	if !info.IsDir {
 		parentInfo, err := c.GetFileInfoByPath(ctx, auth, path.Dir(info.File))
@@ -640,7 +669,7 @@ func (c *Client) GetFileInfoByPath(ctx context.Context, auth eosclient.Authoriza
 		info.Inode = inode
 	}
 
-	return c.mergeParentACLsForFiles(ctx, auth, info), nil
+	return c.fixupACLs(ctx, auth, info), nil
 }
 
 // GetFileInfoByFXID returns the FileInfo by the given file id in hexadecimal

pkg/storage/utils/eosfs/config.go

@@ -152,6 +152,15 @@ type Config struct {
 	// HTTP connections to EOS: idle conections TTL
 	IdleConnTimeout int `mapstructure:"idle_conn_timeout"`
 
+	// HTTP connections to EOS: client certificate (usually a X509 host certificate)
+	ClientCertFile string `mapstructure:"http_client_certfile"`
+	// HTTP connections to EOS: client certificate key (usually a X509 host certificate)
+	ClientKeyFile string `mapstructure:"http_client_keyfile"`
+	// HTTP connections to EOS: CA directories
+	ClientCADirs string `mapstructure:"http_client_cadirs"`
+	// HTTP connections to EOS: CA files
+	ClientCAFiles string `mapstructure:"http_client_cafiles"`
+
 	// TokenExpiry stores in seconds the time after which generated tokens will expire
 	// Default is 3600
 	TokenExpiry int

pkg/storage/utils/eosfs/eosfs.go

@@ -179,6 +179,10 @@ func NewEOSFS(c *Config) (storage.FS, error) {
 			MaxConnsPerHost:     c.MaxConnsPerHost,
 			MaxIdleConnsPerHost: c.MaxIdleConnsPerHost,
 			IdleConnTimeout:     c.IdleConnTimeout,
+			ClientCertFile:      c.ClientCertFile,
+			ClientKeyFile:       c.ClientKeyFile,
+			ClientCADirs:        c.ClientCADirs,
+			ClientCAFiles:       c.ClientCAFiles,
 		}
 		eosClient, err = eosgrpc.New(eosClientOpts, eosHTTPOpts)
 	} else {