[full-ci] feat: [OCISDEV-533] Provide the protected-* spaces

.gitignore

@@ -64,3 +64,4 @@ go.work.sum
 .envrc
 CLAUDE.md
 .claude/
+.agents/

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245
-	github.com/owncloud/reva/v2 v2.0.0-20260223124048-61ee39d95d5f
+	github.com/owncloud/reva/v2 v2.0.0-20260303153746-059bcdfc4fbb
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og=
-github.com/owncloud/reva/v2 v2.0.0-20260223124048-61ee39d95d5f h1:M935ztFcjtRbP3ns8Fgb2XL5jalNd3sXYMUXf0kAwTQ=
-github.com/owncloud/reva/v2 v2.0.0-20260223124048-61ee39d95d5f/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ=
+github.com/owncloud/reva/v2 v2.0.0-20260303153746-059bcdfc4fbb h1:+g9i1ZCb5EAufhjX967R2Zkw3UtgKk6XfXNQ4LQg9iE=
+github.com/owncloud/reva/v2 v2.0.0-20260303153746-059bcdfc4fbb/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=

services/gateway/pkg/revaconfig/config.go

@@ -160,6 +160,14 @@ func spacesProviders(cfg *config.Config, logger log.Logger) map[string]map[strin
 					"mount_point":   "/projects",
 					"path_template": "/projects/{{.Space.Name}}",
 				},
+				"protected-personal": map[string]interface{}{
+					"mount_point":   "/protected-users",
+					"path_template": "/protected-users/{{.Space.Name}}",
+				},
+				"protected-project": map[string]interface{}{
+					"mount_point":   "/protected-projects",
+					"path_template": "/protected-projects/{{.Space.Name}}",
+				},
 			},
 		},
 		cfg.StorageSharesEndpoint: {

services/graph/pkg/service/v0/drives.go

@@ -37,11 +37,13 @@ import (
 )
 
 const (
-	_spaceTypePersonal   = "personal"
-	_spaceTypeProject    = "project"
-	_spaceTypeVirtual    = "virtual"
-	_spaceTypeMountpoint = "mountpoint"
-	_spaceStateTrashed   = "trashed"
+	_spaceTypePersonal          = "personal"
+	_spaceTypeProject           = "project"
+	_spaceTypeProtectedPersonal = "protected-personal"
+	_spaceTypeProtectedProject  = "protected-project"
+	_spaceTypeVirtual           = "virtual"
+	_spaceTypeMountpoint        = "mountpoint"
+	_spaceStateTrashed          = "trashed"
 
 	_sortDescending = "desc"
 )
@@ -78,7 +80,7 @@ func (g Graph) GetDrives(version APIVersion) http.HandlerFunc {
 // GetDrivesV1 attempts to retrieve the current users drives;
 // it lists all drives the current user has access to.
 func (g Graph) GetDrivesV1(w http.ResponseWriter, r *http.Request) {
-	spaces, errCode := g.getDrives(r, false, APIVersion_1)
+	spaces, errCode := g.getDrives(w, r, false, APIVersion_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
 		return
@@ -99,7 +101,7 @@ func (g Graph) GetDrivesV1(w http.ResponseWriter, r *http.Request) {
 // it includes the grantedtoV2 property
 // it uses unified roles instead of the cs3 representations
 func (g Graph) GetDrivesV1Beta1(w http.ResponseWriter, r *http.Request) {
-	spaces, errCode := g.getDrives(r, false, APIVersion_1_Beta_1)
+	spaces, errCode := g.getDrives(w, r, false, APIVersion_1_Beta_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
 		return
@@ -133,14 +135,11 @@ func (g Graph) GetAllDrives(version APIVersion) http.HandlerFunc {
 // GetAllDrivesV1 attempts to retrieve the current users drives;
 // it includes another user's drives, if the current user has the permission.
 func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
-	if !mfa.Has(r.Context()) {
-		logger := g.logger.SubloggerWithRequestID(r.Context())
-		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
-		mfa.SetRequiredStatus(w)
+	if !g.validateMFA(r, w) {
 		return
 	}
 
-	spaces, errCode := g.getDrives(r, true, APIVersion_1)
+	spaces, errCode := g.getDrives(w, r, true, APIVersion_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
 		return
@@ -160,14 +159,11 @@ func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
 // it includes the grantedtoV2 property
 // it uses unified roles instead of the cs3 representations
 func (g Graph) GetAllDrivesV1Beta1(w http.ResponseWriter, r *http.Request) {
-	if !mfa.Has(r.Context()) {
-		logger := g.logger.SubloggerWithRequestID(r.Context())
-		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
-		mfa.SetRequiredStatus(w)
+	if !g.validateMFA(r, w) {
 		return
 	}
 
-	drives, errCode := g.getDrives(r, true, APIVersion_1_Beta_1)
+	drives, errCode := g.getDrives(w, r, true, APIVersion_1_Beta_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
 		return
@@ -184,7 +180,7 @@ func (g Graph) GetAllDrivesV1Beta1(w http.ResponseWriter, r *http.Request) {
 }
 
 // getDrives implements the Service interface.
-func (g Graph) getDrives(r *http.Request, unrestricted bool, apiVersion APIVersion) ([]*libregraph.Drive, error) {
+func (g Graph) getDrives(w http.ResponseWriter, r *http.Request, unrestricted bool, apiVersion APIVersion) ([]*libregraph.Drive, error) {
 	logger := g.logger.SubloggerWithRequestID(r.Context())
 	logger.Info().
 		Interface("query", r.URL.Query()).
@@ -197,6 +193,10 @@ func (g Graph) getDrives(r *http.Request, unrestricted bool, apiVersion APIVersi
 		logger.Debug().Err(err).Interface("query", r.URL.Query()).Msg("could not get drives: query error")
 		return nil, errorcode.New(errorcode.InvalidRequest, err.Error())
 	}
+
+	if !g.validateQueryMFA(r, w, odataReq.Query, DriveTypeValidator{}) {
+		return nil, errorcode.New(errorcode.AccessDenied, "")
+	}
 	ctx := r.Context()
 
 	filters, err := generateCs3Filters(odataReq)
@@ -409,6 +409,8 @@ func (g Graph) createDrive(w http.ResponseWriter, r *http.Request, apiVersion AP
 	switch driveType {
 	case "", _spaceTypeProject:
 		driveType = _spaceTypeProject
+	case _spaceTypeProtectedProject:
+		driveType = _spaceTypeProtectedProject
 	default:
 		logger.Debug().Str("type", driveType).Msg("could not create drive: drives of this type cannot be created via this api")
 		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "drives of this type cannot be created via this api")
@@ -468,7 +470,7 @@ func (g Graph) createDrive(w http.ResponseWriter, r *http.Request, apiVersion AP
 	}
 
 	space := resp.GetStorageSpace()
-	if t := r.URL.Query().Get(TemplateParameter); t != "" && driveType == _spaceTypeProject {
+	if t := r.URL.Query().Get(TemplateParameter); t != "" && (driveType == _spaceTypeProject || driveType == _spaceTypeProtectedProject) {
 		loc := l10n.MustGetUserLocale(ctx, us.GetId().GetOpaqueId(), r.Header.Get(HeaderAcceptLanguage), g.valueService)
 		if err := g.applySpaceTemplate(ctx, gatewayClient, space.GetRoot(), t, loc); err != nil {
 			logger.Error().Err(err).Msg("could not apply template to space")
@@ -596,7 +598,7 @@ func (g Graph) updateDrive(w http.ResponseWriter, r *http.Request, apiVersion AP
 			for _, sp := range res.StorageSpaces {
 				id, _ := storagespace.ParseID(sp.GetId().GetOpaqueId())
 				if id.GetSpaceId() == rid.GetSpaceId() {
-					dt = _spaceTypeProject
+					dt = sp.SpaceType
 				}
 			}
 		}
@@ -781,7 +783,25 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor
 		return nil, err
 	}
 	res, err := gatewayClient.ListStorageSpaces(ctx, lReq)
-	return res, err
+	if err != nil {
+		return nil, err
+	}
+	if res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
+		return res, nil
+	}
+
+	// Filter out protected spaces if MFA is not enabled
+	if !mfa.Has(ctx) {
+		var filtered []*storageprovider.StorageSpace
+		for _, s := range res.StorageSpaces {
+			if s.SpaceType != _spaceTypeProtectedPersonal && s.SpaceType != _spaceTypeProtectedProject {
+				filtered = append(filtered, s)
+			}
+		}
+		res.StorageSpaces = filtered
+	}
+
+	return res, nil
 }
 
 func (g Graph) cs3StorageSpaceToDrive(ctx context.Context, baseURL *url.URL, space *storageprovider.StorageSpace, apiVersion APIVersion) (*libregraph.Drive, error) {
@@ -1016,9 +1036,12 @@ func getQuota(quota *libregraph.Quota, defaultQuota string) *storageprovider.Quo
 
 func (g Graph) canSetSpaceQuota(ctx context.Context, _ *userv1beta1.User, typ string) (bool, error) {
 	permID := settingsServiceExt.SetPersonalSpaceQuotaPermission(0).Id
-	if typ == _spaceTypeProject {
+	if typ == _spaceTypeProject || typ == _spaceTypeProtectedProject {
 		permID = settingsServiceExt.SetProjectSpaceQuotaPermission(0).Id
 	}
+	if typ == _spaceTypeProtectedPersonal {
+		permID = settingsServiceExt.SetPersonalSpaceQuotaPermission(0).Id
+	}
 	_, err := g.permissionsService.GetPermissionByID(ctx, &settingssvc.GetPermissionByIDRequest{PermissionId: permID})
 	if err != nil {
 		merror := merrors.FromError(err)

services/graph/pkg/service/v0/graph.go

@@ -21,6 +21,7 @@ import (
 	"github.com/owncloud/reva/v2/pkg/storagespace"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/keycloak"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
 	ehsvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/eventhistory/v0"
 	searchsvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/search/v0"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
@@ -154,38 +155,135 @@ func parseIDParam(r *http.Request, param string) (storageprovider.ResourceId, er
 	return id, nil
 }
 
-// regular users can only search for terms with a minimum length
-func hasAcceptableSearch(query *godata.GoDataQuery, minSearchLength int) bool {
+// QueryValidator defines a strategy for validating godata queries.
+type QueryValidator interface {
+	Validate(query *godata.GoDataQuery) error
+}
+
+// SearchValidator validates the search query.
+type SearchValidator struct {
+	MinLength int
+}
+
+// Validate checks if the search term is acceptable.
+func (v SearchValidator) Validate(query *godata.GoDataQuery) error {
 	if query == nil || query.Search == nil {
-		return false
+		return errors.New("search term too short")
 	}
 
+	minSearchLength := v.MinLength
 	if strings.HasPrefix(query.Search.RawValue, "\"") {
 		// if search starts with double quotes then it must finish with double quotes
 		// add +2 to the minimum search length in this case
 		minSearchLength += 2
 	}
 
-	return len(query.Search.RawValue) >= minSearchLength
+	if len(query.Search.RawValue) < minSearchLength {
+		return errors.New("search term too short")
+	}
+	return nil
 }
 
-// regular users can only filter by userType
-func hasAcceptableFilter(query *godata.GoDataQuery) bool {
+// FilterValidator validates the filter query.
+type FilterValidator struct{}
+
+// Validate checks if the filter applies forbidden elements.
+func (v FilterValidator) Validate(query *godata.GoDataQuery) error {
 	switch {
 	case query == nil || query.Filter == nil:
-		return true
+		return nil
 	case query.Filter.Tree.Token.Type != godata.ExpressionTokenLogical:
-		return false
+		return errors.New("filter has forbidden elements for regular users")
 	case query.Filter.Tree.Token.Value != "eq":
-		return false
+		return errors.New("filter has forbidden elements for regular users")
 	case query.Filter.Tree.Children[0].Token.Value != "userType":
-		return false
+		return errors.New("filter has forbidden elements for regular users")
+	}
+
+	return nil
+}
+
+// BasicQueryValidator validates basic queries.
+type BasicQueryValidator struct{}
+
+// Validate checks if the query contains unsupported operations like apply, expand, or compute.
+func (v BasicQueryValidator) Validate(query *godata.GoDataQuery) error {
+	if query != nil && (query.Apply != nil || query.Expand != nil || query.Compute != nil) {
+		return errors.New("query has forbidden elements for regular users")
+	}
+	return nil
+}
+
+// DriveTypeValidator validates if the driveType filter contains protected types.
+type DriveTypeValidator struct{}
+
+// Validate checks if the driveType filter contains protected types.
+func (v DriveTypeValidator) Validate(query *godata.GoDataQuery) error {
+	if query == nil || query.Filter == nil {
+		return nil
 	}
 
+	if query.Filter.Tree.Token.Value == "eq" && query.Filter.Tree.Children[0].Token.Value == "driveType" {
+		driveType := strings.Trim(query.Filter.Tree.Children[1].Token.Value, "'")
+		if driveType == _spaceTypeProtectedProject || driveType == _spaceTypeProtectedPersonal {
+			return errors.New("mfa required for protected spaces")
+		}
+	}
+
+	return nil
+}
+
+// validateQuery validates the godata query based on provided validators.
+// It handles user permissions and MFA requirements centrally.
+func (g Graph) validateQuery(r *http.Request, w http.ResponseWriter, query *godata.GoDataQuery, validators ...QueryValidator) bool {
+	ctxHasFullPerms := g.contextUserHasFullAccountPerms(r.Context())
+	hasMFA := mfa.Has(r.Context())
+	logger := g.logger.SubloggerWithRequestID(r.Context())
+
+	for _, v := range validators {
+		if err := v.Validate(query); err != nil {
+			if !ctxHasFullPerms {
+				logger.Debug().Interface("query", r.URL.Query()).Msg(err.Error())
+				errorcode.AccessDenied.Render(w, r, http.StatusForbidden, err.Error())
+				return false
+			}
+			if !hasMFA {
+				logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+				mfa.SetRequiredStatus(w)
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// validateQueryMFA validates the godata query based on provided validators.
+// It only handles MFA requirements and does not check for user permissions.
+func (g Graph) validateQueryMFA(r *http.Request, w http.ResponseWriter, query *godata.GoDataQuery, validators ...QueryValidator) bool {
+	hasMFA := mfa.Has(r.Context())
+	logger := g.logger.SubloggerWithRequestID(r.Context())
+
+	for _, v := range validators {
+		if err := v.Validate(query); err != nil {
+			if !hasMFA {
+				logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+				mfa.SetRequiredStatus(w)
+				return false
+			}
+		}
+	}
 	return true
 }
 
-// regular users can only use basic queries without any expansions, computes or applies
-func hasAcceptableQuery(query *godata.GoDataQuery) bool {
-	return query != nil && query.Apply == nil && query.Expand == nil && query.Compute == nil
+// validateMFA validates the MFA requirement.
+func (g Graph) validateMFA(r *http.Request, w http.ResponseWriter) bool {
+	hasMFA := mfa.Has(r.Context())
+	logger := g.logger.SubloggerWithRequestID(r.Context())
+
+	if !hasMFA {
+		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+		mfa.SetRequiredStatus(w)
+		return false
+	}
+	return true
 }