Add role based scopes

cs3org · Apr 27, 2021 · 7ab7db2 · 7ab7db2
1 parent f649e12
commit 7ab7db2
Show file tree

Hide file tree

Showing 3 changed files with 181 additions and 4 deletions.
diff --git a/cs3/auth/provider/v1beta1/resources.proto b/cs3/auth/provider/v1beta1/resources.proto
@@ -0,0 +1,57 @@
+// Copyright 2018-2019 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+syntax = "proto3";
+
+package cs3.auth.provider.v1beta1;
+
+option csharp_namespace = "Cs3.Auth.Provider.V1Beta1";
+option go_package = "providerv1beta1";
+option java_multiple_files = true;
+option java_outer_classname = "ResourcesProto";
+option java_package = "com.cs3.auth.provider.v1beta1";
+option objc_class_prefix = "CAP";
+option php_namespace = "Cs3\\Auth\\Provider\\V1Beta1";
+
+// Scope defines role-based permissions for various paths.
+message Scope {
+  // REQUIRED.
+  // The path to which a scope applies.
+  string path = 1;
+  // REQUIRED.
+  // The role associated with a particular path.
+  Role role = 2;
+}
+
+// The role associated with the scope.
+enum Role {
+  // Used for invalid roles
+  ROLE_INVALID = 0;
+  // Provides backwards compatibility
+  ROLE_LEGACY = 1;
+  // Grants non-editor role on a resource
+  ROLE_VIEWER = 2;
+  // Grants editor permission on a resource, including folders
+  ROLE_EDITOR = 3;
+  // Grants editor permission on a single file
+  ROLE_FILE_EDITOR = 4;
+  // Grants owner permissions on a resource
+  ROLE_COOWNER = 5;
+  // Role with only write permission can use InitiateFileUpload, nothing else
+  ROLE_UPLOADER = 6;
+}
diff --git a/cs3/gateway/v1beta1/gateway_api.proto b/cs3/gateway/v1beta1/gateway_api.proto
@@ -30,6 +30,7 @@ option php_namespace = "Cs3\\Gateway\\V1Beta1";
 
 import "cs3/app/provider/v1beta1/provider_api.proto";
 import "cs3/app/registry/v1beta1/registry_api.proto";
+import "cs3/auth/provider/v1beta1/resources.proto";
 import "cs3/auth/registry/v1beta1/registry_api.proto";
 import "cs3/gateway/v1beta1/resources.proto";
 import "cs3/identity/group/v1beta1/group_api.proto";
@@ -378,10 +379,10 @@ message AuthenticateRequest {
   string client_secret = 4;
   // OPTIONAL.
   // The scope of the issued token.
-  // This would be a list of paths to which the token would allow access to.
+  // This would be a list of paths with corresponding role-based access scope.
   // In case it's not defined, there would be no restriction on the access of
   // the minted token.
-  repeated string token_scope = 5;
+  repeated cs3.auth.provider.v1beta1.Scope token_scope = 5;
 }
 
 message AuthenticateResponse {

diff --git a/docs/index.html b/docs/index.html
@@ -604,6 +604,25 @@ <h2>Table of Contents</h2>
           </li>
 
 
+          <li>
+            <a href="#cs3%2fauth%2fprovider%2fv1beta1%2fresources.proto">cs3/auth/provider/v1beta1/resources.proto</a>
+            <ul>
+
+                <li>
+                  <a href="#cs3.auth.provider.v1beta1.Scope"><span class="badge">M</span>Scope</a>
+                </li>
+
+
+                <li>
+                  <a href="#cs3.auth.provider.v1beta1.Role"><span class="badge">E</span>Role</a>
+                </li>
+
+
+
+            </ul>
+          </li>
+
+
           <li>
             <a href="#cs3%2fauth%2fregistry%2fv1beta1%2fregistry_api.proto">cs3/auth/registry/v1beta1/registry_api.proto</a>
             <ul>
@@ -1848,11 +1867,11 @@ <h3 id="cs3.gateway.v1beta1.AuthenticateRequest">AuthenticateRequest</h3>
 
                 <tr>
                   <td>token_scope</td>
-                  <td><a href="#string">string</a></td>
+                  <td><a href="#cs3.auth.provider.v1beta1.Scope">cs3.auth.provider.v1beta1.Scope</a></td>
                   <td>repeated</td>
                   <td><p>OPTIONAL.
 The scope of the issued token.
-This would be a list of paths to which the token would allow access to.
+This would be a list of paths with corresponding role-based access scope.
 In case it&#39;s not defined, there would be no restriction on the access of
 the minted token. </p></td>
                 </tr>
@@ -5512,6 +5531,106 @@ <h3 id="cs3.auth.provider.v1beta1.ProviderAPI">ProviderAPI</h3>
 
 
 
+      <div class="file-heading">
+        <h2 id="cs3/auth/provider/v1beta1/resources.proto">cs3/auth/provider/v1beta1/resources.proto</h2><a href="#title">Top</a>
+      </div>
+      <p></p>
+
+
+        <h3 id="cs3.auth.provider.v1beta1.Scope">Scope</h3>
+        <p>Scope defines role-based permissions for various paths.</p>
+
+
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+
+                <tr>
+                  <td>path</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>REQUIRED.
+The path to which a scope applies. </p></td>
+                </tr>
+
+                <tr>
+                  <td>role</td>
+                  <td><a href="#cs3.auth.provider.v1beta1.Role">Role</a></td>
+                  <td></td>
+                  <td><p>REQUIRED.
+The role associated with a particular path. </p></td>
+                </tr>
+
+            </tbody>
+          </table>
+
+
+
+
+
+
+
+        <h3 id="cs3.auth.provider.v1beta1.Role">Role</h3>
+        <p>The role associated with the scope.</p>
+        <table class="enum-table">
+          <thead>
+            <tr><td>Name</td><td>Number</td><td>Description</td></tr>
+          </thead>
+          <tbody>
+
+              <tr>
+                <td>ROLE_INVALID</td>
+                <td>0</td>
+                <td><p>Used for invalid roles</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_LEGACY</td>
+                <td>1</td>
+                <td><p>Provides backwards compatibility</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_VIEWER</td>
+                <td>2</td>
+                <td><p>Grants non-editor role on a resource</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_EDITOR</td>
+                <td>3</td>
+                <td><p>Grants editor permission on a resource, including folders</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_FILE_EDITOR</td>
+                <td>4</td>
+                <td><p>Grants editor permission on a single file</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_COOWNER</td>
+                <td>5</td>
+                <td><p>Grants owner permissions on a resource</p></td>
+              </tr>
+
+              <tr>
+                <td>ROLE_UPLOADER</td>
+                <td>6</td>
+                <td><p>Role with only write permission can use InitiateFileUpload, nothing else</p></td>
+              </tr>
+
+          </tbody>
+        </table>
+
+
+
+
+
+
+
       <div class="file-heading">
         <h2 id="cs3/auth/registry/v1beta1/registry_api.proto">cs3/auth/registry/v1beta1/registry_api.proto</h2><a href="#title">Top</a>
       </div>