chore: improve permission checking with Context

ldclabs · Jul 16, 2024 · d0ed865 · d0ed865
1 parent 82a113b
commit d0ed865
Show file tree

Hide file tree

Showing 12 changed files with 234 additions and 125 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -18,7 +18,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "0.6.5"
+version = "0.6.6"
 edition = "2021"
 repository = "https://github.com/ldclabs/ic-oss"
 keywords = ["file", "storage", "oss", "s3", "icp"]

diff --git a/canister_ids.json b/canister_ids.json
@@ -1,5 +1,8 @@
 {
   "ic_oss_bucket": {
     "ic": "mmrxu-fqaaa-aaaap-ahhna-cai"
+  },
+  "ic_oss_cluster": {
+    "ic": "x5573-nqaaa-aaaap-ahopq-cai"
   }
 }
diff --git a/src/ic_oss/src/bucket.rs b/src/ic_oss/src/bucket.rs
@@ -439,7 +439,6 @@ impl Client {
                                 )
                                 .await?;
                                 let out = out?;
-
                                 Ok(Progress {
                                     filled: out.filled,
                                     size,

diff --git a/src/ic_oss_bucket/README.md b/src/ic_oss_bucket/README.md
@@ -71,7 +71,7 @@ ic-oss-cli -i debug/uploader.pem identity
 # principal: nprym-ylvyz-ig3fr-lgcmn-zzzt4-tyuix-3v6bm-fsel7-6lq6x-zh2w7-zqe
 
 # add managers
-dfx canister call ic_oss_bucket admin_set_managers "(vec {principal \"$MYID\"; principal \"nprym-ylvyz-ig3fr-lgcmn-zzzt4-tyuix-3v6bm-fsel7-6lq6x-zh2w7-zqe\"; principal \"pxfqr-x3orr-z5yip-7yzdd-hyxgd-dktgh-3awsk-ohzma-lfjzi-753j7-tae\"})"
+dfx canister call ic_oss_bucket admin_set_managers "(vec {principal \"$MYID\"; principal \"nprym-ylvyz-ig3fr-lgcmn-zzzt4-tyuix-3v6bm-fsel7-6lq6x-zh2w7-zqe\"})"
 
 # add public keys to verify the access tokens
 dfx canister call ic_oss_bucket admin_update_bucket '(record {
@@ -110,7 +110,6 @@ dfx canister call ic_oss_bucket create_folder "(record {
   parent = 0;
   name = \"home\";
 }, null)"
-dfx canister call ic_oss_bucket list_folders '(0, null)'
 
 dfx canister call ic_oss_bucket create_folder "(record {
   parent = 1;

diff --git a/src/ic_oss_bucket/src/api_admin.rs b/src/ic_oss_bucket/src/api_admin.rs
@@ -13,7 +13,7 @@ fn admin_set_managers(args: BTreeSet<Principal>) -> Result<(), String> {
     Ok(())
 }
 
-#[ic_cdk::query]
+#[ic_cdk::update]
 fn validate_admin_set_managers(args: BTreeSet<Principal>) -> Result<(), String> {
     if args.is_empty() {
         return Err("managers cannot be empty".to_string());
@@ -33,7 +33,7 @@ fn admin_set_auditors(args: BTreeSet<Principal>) -> Result<(), String> {
     Ok(())
 }
 
-#[ic_cdk::query]
+#[ic_cdk::update]
 fn validate_admin_set_auditors(args: BTreeSet<Principal>) -> Result<(), String> {
     if args.is_empty() {
         return Err("auditors cannot be empty".to_string());
@@ -82,7 +82,7 @@ fn admin_update_bucket(args: UpdateBucketInput) -> Result<(), String> {
     Ok(())
 }
 
-#[ic_cdk::query]
+#[ic_cdk::update]
 fn validate_admin_update_bucket(args: UpdateBucketInput) -> Result<(), String> {
     args.validate()
 }
diff --git a/src/ic_oss_bucket/src/api_http.rs b/src/ic_oss_bucket/src/api_http.rs
@@ -125,15 +125,15 @@ fn http_request(request: HttpRequest) -> HttpStreamingResponse {
             };
 
             let canister = ic_cdk::id();
-            let ps = match store::state::with(|s| {
+            let ctx = match store::state::with(|s| {
                 s.read_permission(
-                    &ic_cdk::caller(),
+                    ic_cdk::caller(),
                     &canister,
                     param.token,
                     ic_cdk::api::time() / SECONDS,
                 )
             }) {
-                Ok(ps) => ps,
+                Ok(ctx) => ctx,
                 Err((status_code, err)) => {
                     return HttpStreamingResponse {
                         status_code,
@@ -152,7 +152,16 @@ fn http_request(request: HttpRequest) -> HttpStreamingResponse {
                     ..Default::default()
                 },
                 Some(file) => {
-                    if !permission::check_file_read(&ps, &canister, id, file.parent) {
+                    if file.status < 0 && ctx.role < store::Role::Auditor {
+                        return HttpStreamingResponse {
+                            status_code: 403,
+                            headers,
+                            body: ByteBuf::from("file archived".as_bytes()),
+                            ..Default::default()
+                        };
+                    }
+
+                    if !permission::check_file_read(&ctx.ps, &canister, id, file.parent) {
                         return HttpStreamingResponse {
                             status_code: 403,
                             headers,

diff --git a/src/ic_oss_bucket/src/api_init.rs b/src/ic_oss_bucket/src/api_init.rs
@@ -37,9 +37,9 @@ impl UpgradeArgs {
             if max_file_size == 0 {
                 return Err("max_file_size should be greater than 0".to_string());
             }
-            if max_file_size < MAX_FILE_SIZE {
+            if max_file_size >= MAX_FILE_SIZE {
                 return Err(format!(
-                    "max_file_size should be greater than or equal to {}",
+                    "max_file_size should be smaller than or equal to {}",
                     MAX_FILE_SIZE
                 ));
             }