search

pondersource / nc-sciencemesh

ScienceMesh application for NextCloud
MIT License
0 stars 5 forks source link

Unshare from Nextcloud to ownCloud doesn't work. #352

Open MahdiBaghbani opened 1 year ago

MahdiBaghbani commented 1 year ago

During debug session with Marek, Milan, Giuseppe, Antoon, Thirsa, David, Mirek and David etc.

We found that we can unshare from oc to oc, oc to nc but not nc to OC:

Nextcloud log:

{
  "reqId": "0JexICKyaKvpcurBglCv",
  "level": 3,
  "time": "2023-06-02T12:52:58+00:00",
  "remoteAddr": "192.248.171.117",
  "user": "einstein",
  "app": "no app in context",
  "method": "DELETE",
  "url": "/ocs/v2.php/apps/files_sharing/api/v1/shares/14",
  "message": "Server error: `POST https://sciencemesh.cesnet.cz/ocs/v2.php/cloud/shares/14/unshare?format=json` resulted in a `500 Internal Server Error` response:\nInternal Server Error\n",
  "userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0",
  "version": "26.0.0.6",
  "exception": {
    "Exception": "GuzzleHttp\\Exception\\ServerException",
    "Message": "Server error: `POST https://sciencemesh.cesnet.cz/ocs/v2.php/cloud/shares/14/unshare?format=json` resulted in a `500 Internal Server Error` response:\nInternal Server Error\n",
    "Code": 500,
    "Trace": [
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php",
        "line": 69,
        "function": "create",
        "class": "GuzzleHttp\\Exception\\RequestException",
        "type": "::"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 204,
        "function": "GuzzleHttp\\{closure}",
        "class": "GuzzleHttp\\Middleware",
        "type": "::",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 153,
        "function": "callHandler",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "::"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php",
        "line": 48,
        "function": "GuzzleHttp\\Promise\\{closure}",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "::",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 248,
        "function": "run",
        "class": "GuzzleHttp\\Promise\\TaskQueue",
        "type": "->"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 224,
        "function": "invokeWaitFn",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "->"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 269,
        "function": "waitIfPending",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "->"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 226,
        "function": "invokeWaitList",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "->"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php",
        "line": 62,
        "function": "waitIfPending",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "->"
      },
      {
        "file": "/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php",
        "line": 187,
        "function": "wait",
        "class": "GuzzleHttp\\Promise\\Promise",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/Http/Client/Client.php",
        "line": 297,
        "function": "request",
        "class": "GuzzleHttp\\Client",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/federatedfilesharing/lib/Notifications.php",
        "line": 385,
        "function": "post",
        "class": "OC\\Http\\Client\\Client",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/federatedfilesharing/lib/Notifications.php",
        "line": 359,
        "function": "tryLegacyEndPoint",
        "class": "OCA\\FederatedFileSharing\\Notifications",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/federatedfilesharing/lib/Notifications.php",
        "line": 292,
        "function": "tryHttpPostToShareEndpoint",
        "class": "OCA\\FederatedFileSharing\\Notifications",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/federatedfilesharing/lib/Notifications.php",
        "line": 222,
        "function": "sendUpdateToRemote",
        "class": "OCA\\FederatedFileSharing\\Notifications",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/federatedfilesharing/lib/FederatedShareProvider.php",
        "line": 560,
        "function": "sendRemoteUnShare",
        "class": "OCA\\FederatedFileSharing\\Notifications",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/Share20/Manager.php",
        "line": 1238,
        "function": "delete",
        "class": "OCA\\FederatedFileSharing\\FederatedShareProvider",
        "type": "->"
      },
      {
        "file": "/var/www/html/apps/files_sharing/lib/Controller/ShareAPIController.php",
        "line": 444,
        "function": "deleteShare",
        "class": "OC\\Share20\\Manager",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 230,
        "function": "deleteShare",
        "class": "OCA\\Files_Sharing\\Controller\\ShareAPIController",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 137,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/AppFramework/App.php",
        "line": 183,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/html/lib/private/Route/Router.php",
        "line": 315,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/var/www/html/ocs/v1.php",
        "line": 63,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/var/www/html/ocs/v2.php",
        "line": 23,
        "args": [
          "/var/www/html/ocs/v1.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/html/3rdparty/guzzlehttp/guzzle/src/Exception/RequestException.php",
    "Line": 113,
    "CustomMessage": "--"
  }
}

Reva on Nextcloud side log:

2023-06-02 12:51:36.739 WRN ../reva/internal/http/interceptors/log/log.go:108 > http end="02/Jun/2023:12:51:36 +0000" host=195.216.97.242 method=POST pid=151912 pkg=rhttp proto=HTTP/1.1 size=0 start="02/Jun/2023:12:51:36 +0000" status=401 time_ns=1765044 traceid=80c8025aedfecd5dd96da8a476be1bbe uri=/ocs/v2.php/cloud/shares/19/unshare?format=json url=/ocs/v2.php/cloud/shares/19/unshare?format=json
MahdiBaghbani commented 1 year ago

Security flaw:

Marek ---share---> Mahdi ---reshare---> Milan

Marek ---unshare---> Mahdi | Mahdi cannot she the share anymore

Flaw: Milan can still see the share! Marek doesn't see any shared status on the file he just unshared.

MahdiBaghbani commented 1 year ago

Also: We can confirm that NC can unshare the shares to OC instances. Pondersource NC can unshare a share to Pondersource OC Marek NC can unshare a share to Pondersource OC

MahdiBaghbani commented 1 year ago

https://github.com/pondersource/sciencemesh-php/issues/171 result of the #255 issue.

Reshare: PSNC NC share to Ponder NC reshare to Ponder OC works PSNC NC share to Ponder NC reshare to CEZNET OC works PSNC NC share to Ponder OC reshare to CEZNET OC works

Unshare: PSNC NC unshare to Ponder NC works CEZNET can still see the file PSNC NC unshare to Ponder OC works CEZNET can still see the file PSNC NC unshare to CEZNET OC does NOT work

MahdiBaghbani commented 1 year ago

It is probably a config mismatch since this URL https://sciencemesh.cesnet.cz/ocs/v2.php/cloud/shares/14/unshare?format=json is pointing to the Reva domain (/ocs/v2.php/cloud/shares/14/unshare?format=json doesn't exist on Reva endpoint) and not the ownCloud domain thus returning 500 server error.

marqsbla commented 1 year ago

Regarding the unshare chain: Marek ---share DIRECTORY A---> Mahdi ---reshare---> Milan Marek ---unshare DIRECTORY A---> Mahdi ; Milan still sees the file

On my nextcloud I could not see any information about the file being shared. In the logs I had impression, that CESNET was using another token (from other files I shared to them directly). At least that is how I've interpreted the line in logs:

1.2.3.4 - dRBXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [05/Jun/2023:07:54:23 +0000] "PROPFIND /public.php/webdav/ HTTP/1.1" 401 2006 "-" "sabre-dav/4.4.0 (http://sabre.io/)"

dRBXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is the token I found in oc_share table and was associated to another share with CESNET. 1.2.3.4 was CESNET IP. When I deleted the other shares, Milan could not see Directory A.

I see at least a few potentials/bugs here:

  1. I don't see that the directory is shared
  2. Cesnet OC is using wrong token to authorize
  3. Nextcloud is allowing to see the DIRECTORY A, with a token associated to another share.