public folders - wip

Author: TimCsaky

Untitled-1.java

@@ -0,0 +1,25 @@
+setting f1 to public - db:I, s3:Allow
+    f2 shows as public - db:null, s3:null
+        o1 shows as public - db:null, s3:null
+
+
+setting f1 to private - db:0, s3:null
+    f2 shows as private - db:null, S3:null
+        o1 is private - db:null, S3: null
+
+        // coms public = where object/bucket.public is true... or if null, where a parent is true.
+        // coms not public = where object/bucket.public is false or if null, where a parent is false.
+
+        // let status;
+        // if(resource.public) status =  resource.public;
+        // else{
+        //     // get parents
+        //     sort by key length
+        //     get status from first in array where not null
+        // }
+
+but the problem with this is that calculating public status is too costly
+
+
+coms public = object.public = true, null or false is false
+

app/src/components/constants.js

@@ -57,7 +57,7 @@ module.exports = Object.freeze({
   /** Maximum Content Length supported by S3 CopyObjectCommand */
   MAXCOPYOBJECTLENGTH: 5 * 1024 * 1024 * 1024, // 5 GB
 
-  /** Maximum Content Length supported by S3 CopyObjectCommand */
+  /** Maximum Content Length (file size) supported by S3 */
   MAXFILEOBJECTLENGTH: 5 * 1024 * 1024 * 1024 * 1024, // 5 TB
 
   /** Allowable values for the Metadata Directive parameter */

app/src/components/queueManager.js

@@ -58,6 +58,7 @@ class QueueManager {
     if (!this.isBusy && !this.toClose) {
       objectQueueService.queueSize().then(size => {
         if (size > 0) this.processNextJob();
+        // if (size > 0);
       }).catch((err) => {
         log.error(`Error encountered while checking queue: ${err.message}`, { function: 'checkQueue', error: err });
       });

app/src/components/utils.js

@@ -357,6 +357,21 @@ const utils = {
       && pathParts.filter(part => !prefixParts.includes(part)).length === 1;
   },
 
+  /**
+   * @function isBelowPrefix
+   * Predicate function determining if a path is 'below' a prefix
+   * @param {string} prefix The base "folder"
+   * @param {string} path The "sub-folder" to check
+   * @returns {boolean} True if path is below of prefix. False in all other cases.
+   */
+  isBelowPrefix(prefix, path) {
+    if (typeof prefix !== 'string' || typeof path !== 'string') return false;
+    else if (path === prefix) return false;
+    else if (prefix === DELIMITER) return true;
+    else if (path.startsWith(prefix)) return true;
+    else return false;
+  },
+
   /**
    * @function isTruthy
    * Returns true if the element name in the object contains a truthy value

app/src/controllers/bucket.js

@@ -9,6 +9,7 @@ const log = require('../components/log')(module.filename);
 const {
   addDashesToUuid,
   getCurrentIdentity,
+  getBucket,
   isTruthy,
   joinPath,
   mixedQueryToArray,
@@ -323,6 +324,48 @@ const controller = {
     }
   },
 
+
+  /**
+   * @function togglePublic
+   * Sets the public flag of a bucket (or folder)
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async togglePublic(req, res, next) {
+    try {
+      const bucketId = addDashesToUuid(req.params.bucketId);
+      const publicFlag = isTruthy(req.query.public) ?? false;
+      const userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+
+      const bucket = await getBucket(bucketId);
+      const data = {
+        bucketId: bucketId,
+        path: bucket.key + '/',
+        public: publicFlag,
+        userId: userId
+      };
+      await storageService.updatePublic(data).catch(() => {
+        log.warn('Failed to apply permission changes to S3', { function: 'togglePublic', ...data });
+      });
+      // const s3Public = await storageService.getPublic({ path: data.path, bucketId: bucketId });
+      // console.log('s3Public', s3Public);
+
+      const response = await bucketService.updatePublic({
+        ...bucket,
+        bucketId: bucketId,
+        public: publicFlag,
+        userId: userId
+      });
+
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+
   /**
    * @function updateBucket
    * Updates a bucket

app/src/controllers/object.js

@@ -308,7 +308,9 @@ const controller = {
           existingObjectId: objectId,
         });
 
-      } catch (err) {
+      }
+      // headObject threw an error because object was not found
+      catch (err) {
         if (err instanceof Problem) throw err; // Rethrow Problem type errors
 
         // Object is soft deleted from the bucket
@@ -1074,19 +1076,19 @@ const controller = {
       const data = {
         id: objId,
         bucketId: req.currentObject?.bucketId,
-        filePath: req.currentObject?.path,
+        path: req.currentObject?.path,
         public: publicFlag,
         userId: userId,
-        // TODO: Implement if/when we proceed with version-scoped public permission management
-        // s3VersionId: await getS3VersionId(
-        //   req.query.s3VersionId, addDashesToUuid(req.query.versionId), objId
-        // )
       };
 
-      storageService.putObjectPublic(data).catch(() => {
-        // Gracefully continue even when S3 ACL management operation fails
-        log.warn('Failed to apply ACL permission changes to S3', { function: 'togglePublic', ...data });
+      await storageService.updatePublic(data).catch(() => {
+        log.warn('Failed to apply permission changes to S3', { function: 'togglePublic', ...data });
       });
+
+      const s3Public = await storageService.getPublic({ path: data.path, bucketId: req.currentObject?.bucketId });
+
+      console.log('s3Public', s3Public);
+
       const response = await objectService.update(data);
 
       res.status(200).json(response);

app/src/controllers/sync.js

@@ -141,7 +141,9 @@ const controller = {
               dbBuckets = dbBuckets.filter(b => b.bucketId !== dbBucket.bucketId);
             })
         )
+        // TODO: delete COMS S3 Policies for deleted COMS buckets and child objects.
       );
+
       // add current user's permissions to all buckets
       await Promise.all(
         dbBuckets.map(bucket => {
@@ -176,6 +178,13 @@ const controller = {
             });
         })
       );
+
+
+      // Sync Public Policies
+      // S3 Bucket Policies applied by COMS to make a file or prefix 'public'
+      // need to be synced with the bucket.public value in COMS db
+
+
       return dbBuckets;
     }
     catch (err) {

app/src/db/migrations/20250422000000_016-bucket-public.js

@@ -0,0 +1,35 @@
+exports.up = function (knex) {
+  return Promise.resolve()
+    // allow null for object.public
+    .then(() => knex.schema.alterTable('object', table => {
+      table.boolean('public').nullable().alter();
+    }))
+    // where object.public is false, set to null
+    .then(() => knex('object')
+      .where({ 'public': false })
+      .update({ 'public': null }))
+    .then(() => knex.schema.alterTable('object', table => {
+      table.boolean('public').nullable().alter();
+    }))
+    // add public column to bucket table
+    .then(() => knex.schema.alterTable('bucket', table => {
+      table.boolean('public');
+    }));
+};
+
+exports.down = function (knex) {
+  return Promise.resolve()
+    // drop public column in bucket table
+    .then(() => knex.schema.alterTable('bucket', table => {
+      table.dropColumn('public');
+    }))
+    // where object.public is null, set to false
+    .then(() => knex('object')
+      .where({ 'public': null })
+      .update({ 'public': false }))
+
+    // disallow null for object.public
+    .then(() => knex.schema.alterTable('object', table => {
+      table.boolean('public').notNullable().alter();
+    }));
+};

app/src/db/models/tables/bucket.js

@@ -99,6 +99,7 @@ class Bucket extends mixin(Model, [
         region: { type: 'string', maxLength: 255 },
         active: { type: 'boolean' },
         lastSyncRequestedDate: { type: ['string', 'null'], format: 'date-time' },
+        public: { type: 'boolean' },
         ...stamps
       },
       additionalProperties: false

app/src/middleware/authorization.js

@@ -35,11 +35,13 @@ const _checkPermission = async ({ currentObject, currentUser, params }, permissi
     const searchParams = { permCode: permission, userId: userId };
 
     if (params.objectId) {
+      // add object permissions
       permissions.push(...await objectPermissionService.searchPermissions({
         objId: params.objectId, ...searchParams
       }));
     }
     if (params.bucketId || currentObject.bucketId) {
+      // add bucket permissions
       permissions.push(...await bucketPermissionService.searchPermissions({
         bucketId: params.bucketId || currentObject.bucketId, ...searchParams
       }));
@@ -52,6 +54,7 @@ const _checkPermission = async ({ currentObject, currentUser, params }, permissi
   log.debug('Missing user identification', { function: '_checkPermission' });
   return result;
 };
+
 /**
  * @function checkS3BasicAccess
  * Checks and authorized access to perform operation for s3 basic authentication request
@@ -138,6 +141,31 @@ const checkAppMode = (req, _res, next) => {
   next();
 };
 
+/**
+ * @function currentBucket
+ * Injects a currentBucket object to the request if there is an applicable bucket record
+ * @param {object} req Express request object
+ * @param {object} _res Express response object
+ * @param {function} next The next callback function
+ * @returns {function} Express middleware function
+ */
+// const currentBucket = async (req, _res, next) => {
+//   try {
+//     if (mixedQueryToArray(req.query.bucketId).length === 1) {
+//       const bucket = await bucketService.read(req.query.bucketId);
+//       if (bucket) {
+//         req.currentBucket = Object.freeze({
+//           ...redactSecrets(bucket, ['accessKeyId', 'secretAccessKey'])
+//         });
+//       }
+//     }
+//   } catch (err) {
+//     log.warn(err.message, { function: 'currentBucket' });
+//   }
+//   next();
+// };
+
+
 /**
  * @function currentObject
  * Injects a currentObject object to the request if there is an applicable object record
@@ -190,15 +218,22 @@ const hasPermission = (permission) => {
         throw new Error('Missing object record');
       } else if (authType === AuthType.BASIC && canBasicMode(authMode)) {
         log.debug('Basic authTypes are always permitted', { function: 'hasPermission' });
-      } else if (req.params.objectId && req.currentObject.public && permission === Permissions.READ) {
+      }
+      // if reading a public object
+      else if (req.params.objectId && await isObjectPublic(req.currentObject) && permission === Permissions.READ) {
         log.debug('Read requests on public objects are always permitted', { function: 'hasPermission' });
-      } else if (!await _checkPermission(req, permission)) {
+      }
+      // if reading a public bucket
+      else if (req.params.bucketId && await isBucketPublic(req.params.bucketId) && permission === Permissions.READ) {
+        log.debug('Read requests on public buckets are always permitted', { function: 'hasPermission' });
+      }
+      else if (!await _checkPermission(req, permission)) {
         throw new Error(`User lacks required permission ${permission}`);
       }
     } catch (err) {
       log.verbose(err.message, { function: 'hasPermission' });
       return next(new Problem(403, {
-        detail: 'User lacks permission to complete this action',
+        detail: 'User lacks permission to complete this action' + err,
         instance: req.originalUrl
       }));
     }
@@ -207,6 +242,59 @@ const hasPermission = (permission) => {
   };
 };
 
+// const isBucketPublic = async (req, _res, next) => {
+//   // if an unauthenticated request
+//   if (!req.currentUser || req.currentUser.authType === AuthType.NONE) {
+//     // if providing a single bucketId in query
+//     if (mixedQueryToArray(req.query.bucketId).length === 1) {
+//       const bucket = await bucketService.read(req.query.bucketId);
+//       // and bucket public is truthy
+//       if (!bucket.public) {
+//         return next(new Problem(403, {
+//           detail: 'Bucket is not public',
+//           instance: req.originalUrl
+//         }));
+//       }
+//     }
+//   }
+//   else {
+//     return next(new Problem(403, {
+//       detail: 'User lacks permission to complete this action',
+//       instance: req.originalUrl
+//     }));
+//   }
+//   next();
+// };
+
+
+/**
+ * get public status from COMS database
+ * checks current object and all parent folders
+ */
+const isObjectPublic = async (currentObject) => {
+  if (currentObject.public) return true;
+  if (await isBucketPublic(currentObject.bucketId)) return true;
+  return false;
+};
+
+/**
+ * get public status from COMS database
+ * checks current folder and all parent folders
+ */
+const isBucketPublic = async (bucketId) => {
+  const bucket = await bucketService.read(bucketId);
+  if (bucket.public) return true;
+  const parentBuckets = await bucketService.searchParentBuckets(bucket);
+  if (parentBuckets.some(b => b.public)) return true;
+  return false;
+};
+
 module.exports = {
-  _checkPermission, checkAppMode, checkS3BasicAccess, currentObject, hasPermission
+  _checkPermission,
+  checkAppMode,
+  isBucketPublic,
+  isObjectPublic,
+  checkS3BasicAccess,
+  currentObject,
+  hasPermission
 };