opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

OpenCloud cannot receive OCM shares from other EFSS

Open MahdiBaghbani opened this issue 2 months ago • 0 comments

This is a re-do of the https://github.com/owncloud/ocis/issues/11735, in OpenCloud

Version: opencloudeu/opencloud-rolling:3.4.0

OpenCloud to OpenCloud

Let's assume that the invitation process is already done and the contact is establishied.

Share Sender

OpenCloud 1

user: alan

share payload:

{
  "shareWith": "cd88bf9a-dd7f-11ef-a609-7f78deb2345f@https://2.opencloud.cloud.test.azadehafzar.io",
  "name": "opencloud-to-opencloud.md",
  "description": "",
  "providerId": "RED-ACTED",
  "owner": "YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==@1.opencloud.cloud.test.azadehafzar.io",
  "sender": "YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==@1.opencloud.cloud.test.azadehafzar.io",
  "ownerDisplayName": "",
  "senderDisplayName": "Alan Turing",
  "shareType": "user",
  "expiration": 0,
  "resourceType": "file",
  "protocol": {
    "name": "multi",
    "options": {},
    "webdav": {
      "sharedSecret": "RED-ACTED",
      "permissions": [
        "read"
      ],
      "url": "https://1.opencloud.cloud.test.azadehafzar.io/dav/ocm/RED-ACTED"
    }
  }
}

Problems:

  1. The "shareWith": field is supposed to have OCM Address type, spec, the https:// is not part of specification for OCM Address, spec

Share Receiver

OpenCloud 2

user: dennis

Logs:

  1. Finds out about the sender provider from "sender":
2025-10-15T20:44:50Z DBG Determined Mesh Provider '1.opencloud.cloud.test.azadehafzar.io' from req.Sender 'YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==@1.opencloud.cloud.test.azadehafzar.io' line=github.com/opencloud-eu/reva/[email protected]/internal/http/services/ocmd/shares.go:93 pkg=rhttp request-id=7b7530defb22/Wmn8DhtC62-001041 service=ocm traceid=cf02ebd3642724dc5407e527f9b46f47
  1. Gets the user the share is intended for from the payload's "shareWith": field, it only reads the opaque_id part of OCM Address:
2025-10-15T20:44:50Z DBG GetUser id={"opaque_id":"cd88bf9a-dd7f-11ef-a609-7f78deb2345f"} line=github.com/opencloud-eu/reva/[email protected]/pkg/user/manager/ldap/ldap.go:101 pkg=rgrpc service=users traceid=c918599df4448656e464e1996012810e
  1. Do 3 LDAP searches
2025-10-15T20:44:50Z DBG LDAP Search backend=ldap basedn=ou=users,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=cd88bf9a-dd7f-11ef-a609-7f78deb2345f)) line=github.com/opencloud-eu/reva/[email protected]/pkg/utils/ldap/identity.go:220 pkg=rgrpc scope=2 service=users traceid=c918599df4448656e464e1996012810e

2025-10-15T20:44:50Z DBG Calling boltdb search attrs=["displayname","openclouduuid","","mail","uid","uidNumber","gidNumber","openclouduserenabled","openCloudUserType"] basedn=ou=users,o=libregraph-idm binddn=uid=reva,ou=sysusers,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=cd88bf9a-dd7f-11ef-a609-7f78deb2345f)) line=github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50 op=search service=idm

2025-10-15T20:44:50Z DBG boltdb search returned 3 entries attrs=["displayname","openclouduuid","","mail","uid","uidNumber","gidNumber","openclouduserenabled","openCloudUserType"] basedn=ou=users,o=libregraph-idm binddn=uid=reva,ou=sysusers,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=cd88bf9a-dd7f-11ef-a609-7f78deb2345f)) line=github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50 op=search service=idm

Notice the (openclouduuid=cd88bf9a-dd7f-11ef-a609-7f78deb2345f).

My understanding is that OpenCloud uses the opaque_id portion of the "shareWith" OCM address from the share payload directly in the LDAP user search, without any manipulation or base64 decoding.

  1. The user for whom the share is intended is found:
2025-10-15T20:44:50Z DBG entries entry={"Attributes":[{"ByteValues":["RGVubmlzIFJpdGNoaWU="],"Name":"displayName","Values":["Dennis Ritchie"]},{"ByteValues":["ZGVubmlzQGV4YW1wbGUub3Jn"],"Name":"mail","Values":["[email protected]"]},{"ByteValues":["Y2Q4OGJmOWEtZGQ3Zi0xMWVmLWE2MDktN2Y3OGRlYjIzNDVm"],"Name":"openCloudUUID","Values":["cd88bf9a-dd7f-11ef-a609-7f78deb2345f"]},{"ByteValues":["VFJVRQ=="],"Name":"openCloudUserEnabled","Values":["TRUE"]},{"ByteValues":["ZGVubmlz"],"Name":"uid","Values":["dennis"]}],"DN":"uid=dennis,ou=users,o=libregraph-idm"} line=github.com/opencloud-eu/reva/[email protected]/pkg/user/manager/ldap/ldap.go:112 pkg=rgrpc service=users traceid=c918599df4448656e464e1996012810e

Others (in this case CERNBox) to OpenCloud

Invitation flow:

CERNBox shares a token, OpenCloud accepts and sends this payload:

{
  "email": "[email protected]",
  "name": "Alan Turing",
  "recipientProvider": "1.opencloud.cloud.test.azadehafzar.io",
  "token": "ed305914-b7ea-4b4e-a889-41a7217053c7",
  "userID": "YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw=="
}

So the CERNBox (and Nextcloud) store the YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==@1.opencloud.cloud.test.azadehafzar.io as OCM Address.

Also based on the spec, the "userID" field should not be manipulated in any way by the receiver, it is supposed to be known at the token-receiver (payload sender) OCM server.

if we decode the base64 encoded "userID", we get: b1f74ec4-dd7e-11ef-a543-03775734d0f7@https://1.opencloud.cloud.test.azadehafzar.io

Share Sender

CERNBox

user: lopresti

The "shareWith" field is the OCM Address obtained during the invite process. share payload:

{
  "shareWith": "YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==@1.opencloud.cloud.test.azadehafzar.io",
  "name": "shared_via_ocm.txt",
  "description": "",
  "providerId": "RED-ACTED",
  "owner": "[email protected]",
  "sender": "[email protected]",
  "ownerDisplayName": "",
  "senderDisplayName": "Giuseppe Lo Presti",
  "code": "",
  "shareType": "user",
  "resourceType": "file",
  "expiration": 0,
  "protocol": {
    "name": "multi",
    "options": {},
    "webapp": {
      "uri": "https://qa.cernbox.cern.ch/external/sciencemesh/RED-ACTED/{relative-path-to-shared-resource}",
      "viewMode": "",
      "sharedSecret": ""
    },
    "webdav": {
      "sharedSecret": "RED-ACTED",
      "permissions": [
        "read"
      ],
      "uri": "https://qa.cernbox.cern.ch/remote.php/dav/ocm/RED-ACTED"
    }
  }
}

Share Receiver

OpenCloud 1

user: alan

Logs:

  1. Finds out about the sender provider from "sender":
2025-10-15T10:00:55Z DBG Determined Mesh Provider 'qa.cernbox.cern.ch' from req.Sender '[email protected]' line=github.com/cs3org/reva/[email protected]/internal/http/services/ocmd/shares.go:91 pkg=rhttp request-id=46075842a68b/58Z5gnwZ0Q-000100 service=ocm traceid=4df953e7eaba2e5ecb0bac5f8b724800
  1. Gets the user the share is intended for from the payload's "shareWith": field, it only reads the opaque_id part of OCM Address:
2025-10-15T10:00:55Z DBG GetUser id={"opaque_id":"YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw=="} line=github.com/cs3org/reva/[email protected]/pkg/user/manager/ldap/ldap.go:101 pkg=rgrpc service=users traceid=34778013c46575d69193c8c7f8497cca
  1. Do 3 LDAP searches
2025-10-15T20:44:50Z DBG LDAP Search backend=ldap basedn=ou=users,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==)) line=github.com/opencloud-eu/reva/[email protected]/pkg/utils/ldap/identity.go:220 pkg=rgrpc scope=2 service=users traceid=c918599df4448656e464e1996012810e

2025-10-15T20:44:50Z DBG Calling boltdb search attrs=["displayname","openclouduuid","","mail","uid","uidNumber","gidNumber","openclouduserenabled","openCloudUserType"] basedn=ou=users,o=libregraph-idm binddn=uid=reva,ou=sysusers,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==)) line=github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50 op=search service=idm

2025-10-15T20:44:50Z DBG boltdb search returned 3 entries attrs=["displayname","openclouduuid","","mail","uid","uidNumber","gidNumber","openclouduserenabled","openCloudUserType"] basedn=ou=users,o=libregraph-idm binddn=uid=reva,ou=sysusers,o=libregraph-idm filter=(&(objectclass=inetOrgPerson)(openclouduuid=YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==)) line=github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50 op=search service=idm

Notice the (openclouduuid=YjFmNzRlYzQtZGQ3ZS0xMWVmLWE1NDMtMDM3NzU3MzRkMGY3QGh0dHBzOi8vMS5vcGVuY2xvdWQuY2xvdWQudGVzdC5hemFkZWhhZnphci5pbw==).

Now we have a problem!

  1. The user for whom the share is intended is NOT found:
2025-10-15T10:00:55Z ERR user not found error="user not found" line=github.com/cs3org/reva/[email protected]/internal/http/services/reqres/reqres.go:64 pkg=rhttp request-id=46075842a68b/58Z5gnwZ0Q-000100 service=ocm traceid=4df953e7eaba2e5ecb0bac5f8b724800

Conclusion

If OpenCloud sends a base64-encoded identifier to other EFSS systems, it should handle the decoding as well and not depend on the remote end to do it. For a remote system, the identifier is opaque, and any manipulation or decoding is outside of the OCM specification

MahdiBaghbani avatar Oct 15 '25 21:10 MahdiBaghbani