Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make weboffice work with OCM #10700

Open
kobergj opened this issue Dec 2, 2024 · 16 comments · May be fixed by #10944
Open

Make weboffice work with OCM #10700

kobergj opened this issue Dec 2, 2024 · 16 comments · May be fixed by #10944
Assignees
@2403905 @kobergj @bastianbeier
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug

Comments

@kobergj
Copy link
Collaborator

kobergj commented Dec 2, 2024
edited
Loading

When getting a federated share I need to able to edit it in the weboffice.

This ticket is to find out if there is an issue with this and if yes fix it.

Working collaboratively on one file is not in scope of this ticket.

Current behaviour: File is opened in read-only mode.
@kobergj kobergj moved this from Qualification to Prio 2 in Infinite Scale Team Board Dec 2, 2024
@kobergj kobergj added the Priority:p2-high Escalation, on top of current planning, release blocker label Dec 2, 2024
@saw-jan
Copy link
Member

saw-jan commented Dec 2, 2024

Tested with:

Infinite Scale 7.0.0-rc.3+6782c2473 Community
ownCloud Web UI 11.0.4

Current behaviors:

1. Collabora

  1. Share with edit role

  2. Open file in Collabora -> CANNOT EDIT ❌
    Screenshot from 2024-12-02 16-16-45

    collaboration-1     | {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"dade67a981de/kUulsvHrV0-000015","traceid":"00000000000000000000000000000000","remote-addr":"172.21.0.3:46206","method":"GET","wopi-action":"","status":200,"path":"/wopi/files/d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","duration":26.688054,"bytes":730,"time":"2024-12-02T10:35:59Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}
collaboration-1     | {"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"POST","path":"/wopi/files/d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","WopiSessionId":"","WopiOverride":"LOCK","WopiProof":"mBRmFOzDCSjaFqM6IOeu1wZCcEVjgjuuzkFKcpxboa158aaxnBqC4c4f0oCo6WiWdSVjD3Sa/3jDrKnvEi5B8FruGwHpe56g5machPjke2ll34TsLoYdeSvqZiRUv+nWsiA8ayc2KsENYS8SU8xhAOmdWEqZd6CAoN9Zf6vzQEt13PP4PfqJOhhPbgXg0/iqnZL9NH3Xrea1x9AgdN4wKeWizptf5qq9UXd5NHipLno2oEBDyH9HyG9RyMuvCQpR2yxH4AwQVOLMO89q+iC9KDmmREhaFX5q9Oz7/Y9OmjLfLk7mebUOeUsDFR4nshoPjs+lGhz4lBIFP2JNnjXQWQ==","WopiProofOld":"mBRmFOzDCSjaFqM6IOeu1wZCcEVjgjuuzkFKcpxboa158aaxnBqC4c4f0oCo6WiWdSVjD3Sa/3jDrKnvEi5B8FruGwHpe56g5machPjke2ll34TsLoYdeSvqZiRUv+nWsiA8ayc2KsENYS8SU8xhAOmdWEqZd6CAoN9Zf6vzQEt13PP4PfqJOhhPbgXg0/iqnZL9NH3Xrea1x9AgdN4wKeWizptf5qq9UXd5NHipLno2oEBDyH9HyG9RyMuvCQpR2yxH4AwQVOLMO89q+iC9KDmmREhaFX5q9Oz7/Y9OmjLfLk7mebUOeUsDFR4nshoPjs+lGhz4lBIFP2JNnjXQWQ==","WopiStamp":"638687325597044956","FileReference":"resource_id:{storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\" opaque_id:\"L1RlbXBsYXRlLmRvY3g=\" space_id:\"e94a9c90-23a4-468e-8d25-4872a654e5e0\"} path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://host.docker.internal:9200\" opaque_id:\"2668e587-825d-4fac-b2d0-7df51ecaec48\" type:USER_TYPE_PRIMARY","RequestedLockID":"cool-lock68368b73","RequestedOldLockID":"","StatusCode":"CODE_UNIMPLEMENTED","StatusMsg":"set lock:error: not supported: operation not supported","time":"2024-12-02T10:35:59Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/connector/fileconnector.go:343","message":"SetLock failed with unexpected status"}
collaboration-1     | {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"dade67a981de/kUulsvHrV0-000017","traceid":"00000000000000000000000000000000","remote-addr":"172.21.0.3:46206","method":"POST","wopi-action":"LOCK","status":500,"path":"/wopi/files/d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","duration":22.996446,"bytes":0,"time":"2024-12-02T10:35:59Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}

    collabora-1         | frk-00021-00021 2024-12-02 10:35:59.560395 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:585
collabora-1         | wsd-00001-00257 2024-12-02 10:35:59.733721 +0000 [ docbroker_005 ] ERR  Un-successful WOPI::Lock with HTTP status 500 (Internal Server Error), failure reason: [] and response: []| wsd/wopi/WopiStorage.cpp:414
collabora-1         | wsd-00001-00257 2024-12-02 10:35:59.733743 +0000 [ docbroker_005 ] ERR  Failed to Locked docKey [https%3A%2F%2Fhost.docker.internal%3A9300%2Fwopi%2Ffiles%2Fd619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d] with reason []. Notifying client and making session [088] read-only| wsd/DocumentBroker.cpp:1647
collabora-1         | wsd-00001-00257 2024-12-02 10:35:59.733755 +0000 [ docbroker_005 ] ERR  Failed to lock docKey [https%3A%2F%2Fhost.docker.internal%3A9300%2Fwopi%2Ffiles%2Fd619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d] with session [088] before downloading. Session will be read-only: | wsd/DocumentBroker.cpp:1192

2. OnlyOffice

  1. Share with edit role

  2. Open file in OnlyOffice -> CANNOT LOAD EDITOR ❌
    Screenshot from 2024-12-02 16-16-53

    collaboration-oo-1  | {"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"POST","path":"/wopi/files/d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","WopiSessionId":"","WopiOverride":"LOCK","WopiProof":"d5rSFjqGTYE1huFwprfz84aHa32341+vD6o0BMQwZSJDRNKNCQRZk6HtAQ8HzPaSYkYtSSzm9fdCkVDOacoIZqPLeoVM1/a4vABupQxGh1gWLLMbbjm0M3AhJE+VQnK1wh7RpjTTy7g7HEKf9NHTkqb3jdXWVDRr5T/Ryk6O8fnw7ym7xlyDDes4qj4i4LMfFZOriStzOyclWI5HYJ1atcgC1tK3pEDl3CkB1sQwvBRxIEF/uS0edA6vd/iln7xS5P9IXiZ8KzbW3qlLrCBCQNoRCpWQzOiQri4yeJPvnRDmeQGsVF3UxXiKRorFVAVADEZS9t1gZICD+JB7DV/m4w==","WopiProofOld":"d5rSFjqGTYE1huFwprfz84aHa32341+vD6o0BMQwZSJDRNKNCQRZk6HtAQ8HzPaSYkYtSSzm9fdCkVDOacoIZqPLeoVM1/a4vABupQxGh1gWLLMbbjm0M3AhJE+VQnK1wh7RpjTTy7g7HEKf9NHTkqb3jdXWVDRr5T/Ryk6O8fnw7ym7xlyDDes4qj4i4LMfFZOriStzOyclWI5HYJ1atcgC1tK3pEDl3CkB1sQwvBRxIEF/uS0edA6vd/iln7xS5P9IXiZ8KzbW3qlLrCBCQNoRCpWQzOiQri4yeJPvnRDmeQGsVF3UxXiKRorFVAVADEZS9t1gZICD+JB7DV/m4w==","WopiStamp":"638687323105570000","FileReference":"resource_id:{storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\" opaque_id:\"L1RlbXBsYXRlLmRvY3g=\" space_id:\"e94a9c90-23a4-468e-8d25-4872a654e5e0\"} path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://host.docker.internal:9200\" opaque_id:\"2668e587-825d-4fac-b2d0-7df51ecaec48\" type:USER_TYPE_PRIMARY","RequestedLockID":"d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","RequestedOldLockID":"","StatusCode":"CODE_UNIMPLEMENTED","StatusMsg":"set lock:error: not supported: operation not supported","time":"2024-12-02T10:31:50Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/connector/fileconnector.go:343","message":"SetLock failed with unexpected status"}
collaboration-oo-1  | {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"4d787b3e2560/JboqPonUa1-000021","traceid":"00000000000000000000000000000000","remote-addr":"172.21.0.3:39084","method":"POST","wopi-action":"LOCK","status":500,"path":"/wopi/files/d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d","duration":15.246426,"bytes":0,"time":"2024-12-02T10:31:50Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}

    onlyoffice-1        | [2024-12-02T10:31:50.577] [ERROR] [localhost] [d619bd0456d3ddbb8765ed723ca6caee3a2be1e9ad95c00852e023ecd5566a3d] [userId] nodeJS - wopi error LOCK:Error: Error response: statusCode:500; headers:{"content-length":"0","date":"Mon, 02 Dec 2024 10:31:50 GMT","x-collaboration.onlyoffice-version":"7.0.0-rc.3+6782c2473","x-request-id":"4d787b3e2560/JboqPonUa1-000021"}; body:
onlyoffice-1        | 
onlyoffice-1        |     at Request._callback (/snapshot/server/Common/sources/utils.js)
onlyoffice-1        |     at Request.callback (/snapshot/server/Common/node_modules/request/request.js:185:22)
onlyoffice-1        |     at Request.emit (node:events:527:28)
onlyoffice-1        |     at Request.<anonymous> (/snapshot/server/Common/node_modules/request/request.js:1161:10)
onlyoffice-1        |     at Request.emit (node:events:527:28)
onlyoffice-1        |     at IncomingMessage.<anonymous> (/snapshot/server/Common/node_modules/request/request.js:1083:12)
onlyoffice-1        |     at Object.onceWrapper (node:events:641:28)
onlyoffice-1        |     at IncomingMessage.emit (node:events:539:35)
onlyoffice-1        |     at endReadableNT (node:internal/streams/readable:1345:12)
onlyoffice-1        |     at processTicksAndRejections (node:internal/process/task_queues:83:21)

@jvillafanez
Copy link
Member

jvillafanez commented Dec 4, 2024
edited
Loading

Maybe the problem is in https://github.com/cs3org/reva/blob/master/pkg/ocm/storage/received/ocm.go#L390 ?

Both Collabora and OnlyOffice are trying to set a lock on the file, and the request goes through the collaboration service to the reva gateway. I'm a bit lost from that point onward, but it's clear from the logs that the gwc.SetLock request fails with an "unimplemented" error, so something is missing in reva.

I assume that, after failing to get the lock, both Collabora and OnlyOffice decide to open the file in read-only mode instead of trying to edit the document in an unsafe way. OnlyOffice seems to fail instead.

@kobergj kobergj self-assigned this Dec 6, 2024
@kobergj kobergj moved this from Prio 2 to In progress in Infinite Scale Team Board Dec 6, 2024
@wkloucek
Copy link
Contributor

I was able to successfully open a file in OnlyOffice that was shared with "edit" permissions.

A file that was shared with "view only" permissions, failed this way:

ocm-66d7ddb88d-fnwhx ocm {"level":"warn","service":"ocm","pkg":"rgrpc","traceid":"8d03414958b0a0e7c54687fdd88ddb73","error":"error: permission denied: access to resource ref:{id:{opaque_id:\"0548c0c0-3be1-4c8b-8c20-1aaa3ef44f92\"}} not allowed within the assigned scope","time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/auth/auth.go:150","message":"access token is invalid"}
gateway-554db4cc56-wrbc2 gateway {"level":"error","service":"gateway","pkg":"rgrpc","traceid":"8d03414958b0a0e7c54687fdd88ddb73","user-agent":"Go-http-client/1.1","from":"tcp://10.96.9.215:35954","uri":"/cs3.gateway.v1beta1.GatewayAPI/GetReceivedOCMShare","start":"13/Jan/2025:21:00:50 +0000","end":"13/Jan/2025:21:00:50 +0000","time_ns":818684,"code":"PermissionDenied","time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/log/log.go:69","message":"gateway: error calling GetReceivedOCMShare: rpc error: code = PermissionDenied desc = auth: core access token is invalid"}
ocm-66d7ddb88d-fnwhx ocm {"level":"error","service":"ocm","pkg":"rgrpc","traceid":"8d03414958b0a0e7c54687fdd88ddb73","user-agent":"Go-http-client/1.1","from":"tcp://10.96.6.90:41368","uri":"/cs3.sharing.ocm.v1beta1.OcmAPI/GetReceivedOCMShare","start":"13/Jan/2025:21:00:50 +0000","end":"13/Jan/2025:21:00:50 +0000","time_ns":95268,"code":"PermissionDenied","time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/log/log.go:69","message":"rpc error: code = PermissionDenied desc = auth: core access token is invalid"}
ocm-66d7ddb88d-fnwhx ocm {"level":"error","service":"ocm","pkg":"rhttp","datatx":"spaces","spaceid":"89f37a33-858b-45fa-8890-a1f2b27d90e1$0548c0c0-3be1-4c8b-8c20-1aaa3ef44f92!L3JlYWRvbmx5LXRlc3QuZG9jeA==","path":"/","request-id":"75892047dd4d7241c3234c0bc41503cf","svc":"datatx","handler":"download","error":"rpc error: code = PermissionDenied desc = gateway: error calling GetReceivedOCMShare: rpc error: code = PermissionDenied desc = auth: core access token is invalid","action":"download","time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/pkg/rhttp/datatx/utils/download/download.go:279","message":"unexpected error"}
proxy-6c45695999-wzp6q proxy {"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"75892047dd4d7241c3234c0bc41503cf","traceid":"8d03414958b0a0e7c54687fdd88ddb73","remote-addr":"10.96.9.46","method":"GET","status":500,"path":"/data","duration":9.988174,"bytes":0,"time":"2025-01-13T21:00:50Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
frontend-5887768456-wl6tb frontend {"level":"error","service":"frontend","pkg":"rhttp","traceid":"5927d6559c6c21586d0c85b7795527ff","host":"10.96.6.242","method":"GET","uri":"/data","url":"/","proto":"HTTP/1.1","status":500,"size":0,"start":"13/Jan/2025:21:00:50 +0000","end":"13/Jan/2025:21:00:50 +0000","time_ns":4540675,"time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/internal/http/interceptors/log/log.go:112","message":"http"}
ocm-66d7ddb88d-fnwhx ocm {"level":"error","service":"ocm","pkg":"rhttp","traceid":"92dc2ee5fe57ec1f2a5d486198c94239","host":"10.96.8.189","method":"GET","uri":"/data/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$0548c0c0-3be1-4c8b-8c20-1aaa3ef44f92%21L3JlYWRvbmx5LXRlc3QuZG9jeA==","url":"/","proto":"HTTP/1.1","status":500,"size":0,"start":"13/Jan/2025:21:00:50 +0000","end":"13/Jan/2025:21:00:50 +0000","time_ns":1873630,"time":"2025-01-13T21:00:50Z","line":"github.com/cs3org/reva/[email protected]/internal/http/interceptors/log/log.go:112","message":"http"}
collaboration-xxxx-office-6878f567d7-rzgnf collaboration-xxxx-office {"level":"error","service":"collaboration","request-id":"53647e397b29b816fa4ca164e7a40725","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/a02d7c430e0afc24fcb6a5a71cd341ce7b7739064ae2b44a9de8f29d3081b00a/contents","WopiSessionId":"","WopiOverride":"","WopiProof":"xxx","WopiProofOld":"xxx","WopiStamp":"638723988492690000","FileReference":"resource_id:{storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\"  opaque_id:\"L3JlYWRvbmx5LXRlc3QuZG9jeA==\"  space_id:\"0548c0c0-3be1-4c8b-8c20-1aaa3ef44f92\"}  path:\".\"","ViewMode":"VIEW_MODE_VIEW_ONLY","Requester":"idp:\"https://xxxx/realms/xxxx\"  opaque_id:\"526fb0b2-c787-4de7-9133-0a01b98d7a56\"  type:USER_TYPE_PRIMARY","FileReference":{"resource_id":{"storage_id":"89f37a33-858b-45fa-8890-a1f2b27d90e1","opaque_id":"L3JlYWRvbmx5LXRlc3QuZG9jeA==","space_id":"0548c0c0-3be1-4c8b-8c20-1aaa3ef44f92"},"path":"."},"Endpoint":"https://0xxxx/data","HasDownloadToken":true,"HttpCode":500,"time":"2025-01-13T21:00:50Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/connector/contentconnector.go:176","message":"GetFile: downloading the file failed"}
collaboration-xxxx-office-6878f567d7-rzgnf collaboration-xxxx-office {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"53647e397b29b816fa4ca164e7a40725","traceid":"00000000000000000000000000000000","remote-addr":"10.96.9.233:41880","method":"GET","wopi-action":"","status":500,"path":"/wopi/files/a02d7c430e0afc24fcb6a5a71cd341ce7b7739064ae2b44a9de8f29d3081b00a/contents","duration":329.51705,"bytes":22,"time":"2025-01-13T21:00:50Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}

@kobergj
Copy link
Collaborator Author

kobergj commented Jan 23, 2025

Fixed in 7.1

@kobergj kobergj closed this as completed Jan 23, 2025
@github-project-automation github-project-automation bot moved this from In progress to Done in Infinite Scale Team Board Jan 23, 2025
@kobergj kobergj reopened this Jan 23, 2025
@github-project-automation github-project-automation bot moved this from Done to In progress in Infinite Scale Team Board Jan 23, 2025
@kobergj
Copy link
Collaborator Author

kobergj commented Jan 23, 2025

So I thought. Need to have a look on latest comment

@kobergj
Copy link
Collaborator Author

kobergj commented Jan 23, 2025

@wkloucek is that even supposed to happen? I thought OnlyOffice cannot do ViewOnly. Only Collabora can. Is that wrong?

@wkloucek
Copy link
Contributor

@wkloucek is that even supposed to happen? I thought OnlyOffice cannot do ViewOnly. Only Collabora can. Is that wrong?

From what I know, OnlyOffice can also open documents without offering to edit them. At least this is what happens if you only have read permissions on an office file.

@jvillafanez
Copy link
Member

As far as I know, all office apps must support read-only, although the implementation might differ.
OnlyOffice might show the same editor but without writing capabilities for its read-only mode. Meanwhile, Collabora might also block copying and exporting, and also show a watermark.

@wkloucek
Copy link
Contributor

This is what I took from a recent OnlyOffice /hosting discovery endpoint:

<action name="view" ext="docx" urlsrc="https://xxx/hosting/wopi/word/view?<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>
<action name="embedview" ext="docx" urlsrc="https://xxx/hosting/wopi/word/view?embed=1&<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>
<action name="mobileView" ext="docx" urlsrc="https://xxx/hosting/wopi/word/view?mobile=1&<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>
<action name="edit" ext="docx" default="true" requires="locks,update" urlsrc="https://xxx/hosting/wopi/word/edit?<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>
<action name="mobileEdit" ext="docx" requires="locks,update" urlsrc="https://xxx/hosting/wopi/word/edit?mobile=1&<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>
<action name="editnew" ext="docx" requires="locks,update" urlsrc="https://xxx/hosting/wopi/word/edit?<rs=DC_LLCC&><dchat=DISABLE_CHAT&><embed=EMBEDDED&><fs=FULLSCREEN&><hid=HOST_SESSION_ID&><rec=RECORDING&><sc=SESSION_CONTEXT&><thm=THEME_ID&><ui=UI_LLCC&><wopisrc=WOPI_SOURCE&>&"/>

It clearly advertises edit and view actions.

OnlyOffice might show the same editor but without writing capabilities for its read-only mode. Meanwhile, Collabora might also block copying and exporting, and also show a watermark.

Yeah, OnlyOffice might not support that ultra safe zero trust view mode...

@2403905
Copy link
Contributor

2403905 commented Jan 27, 2025
edited
Loading

@jvillafanez Can it be a malformed access token?
When the document opened in a view the access token is:
httpReq.Header.Add("X-Access-Token", wopiContext.ViewOnlyToken)
Should opaque_id be encoded?

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "iss": "ocis.ocm.owncloud.test",
    "aud": [
      "reva"
    ],
    "exp": 1737813854,
    "iat": 1737727454,
    "user": {
      "id": {
        "idp": "ocis.ocm.owncloud.test",
        "opaque_id": "MDRmOWZiYTEtNDlkZC00OWU2LTgwNDItMmZhYTkwYjYwYjZkQGh0dHBzOi8vb2Npcy5vY20ub3duY2xvdWQudGVzdA==",
        "type": 6
      },
      "display_name": "View Only user for admin"
    },
    "scope": {
      "resourceinfo:storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\"  opaque_id:\"L29jaXMub2R0\"  space_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"": {
        "resource": {
          "decoder": "json",
          "value": "eyJpZCI6eyJzdG9yYWdlSWQiOiI4OWYzN2EzMy04NThiLTQ1ZmEtODg5MC1hMWYyYjI3ZDkwZTEiLCAib3BhcXVlSWQiOiJMMjlqYVhNdWIyUjAiLCAic3BhY2VJZCI6IjNlZjBmMTZiLTg3YTYtNGM2Yi1hMGZkLTcxZjc0ODc0M2VkZiJ9LCAicGF0aCI6Im9jaXMub2R0In0="
        },
        "role": 3
      }
    }
  },
  "signature": "zb0ZHM-ZSZMNBf--haV4JNoBmMDU1TwnlgxQpgu6B70"
}

When the document opened in a r/w the access token is:

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "iss": "https://ocis.owncloud.test",
    "aud": [
      "reva"
    ],
    "exp": 1737813853,
    "iat": 1737727453,
    "user": {
      "id": {
        "idp": "https://ocis.owncloud.test",
        "opaque_id": "4c34b266-1dc3-4ee8-956b-edb89d312728",
        "type": 1
      },
      "username": "admin",
      "mail": "[email protected]",
      "display_name": "Admin",
      "uid_number": 99,
      "gid_number": 99
    },
    "scope": {
      "user": {
        "resource": {
          "decoder": "json",
          "value": "eyJwYXRoIjoiLyJ9"
        },
        "role": 1
      }
    }
  },
  "signature": "3Ch-SUA6R9JMIjzipid4onBA88fl1oTxEG8Up7KyoHg"
}

The error a collaboration:

{"level":"debug","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/3670a8147fa2f628d4e1d449f688f1867d5f44ec3f190267fa01ca5e7dcba206/contents","WopiSessionId":"","WopiOverride":"","WopiProof":"XNwBG9/HwBF1t/W1gn87RUnoKxNZ29Q3eEUTnyySPBHQPCuL9UFMh2OlMK7ENoWkWytbIkr5aOGWEGTrHVf6ffdP2RYEBKjb/5Bsiz428gCv83OMxfVyfPH0aOVboCxt1M29letHfS+665RuGkcKR7G36p8tFsS7MOlqH1dyl0snAHGjZvHbWtWRNo0SoXA1jGj0QmVc5+uex9NN6ij/cBYV/WLlYyU8sh2J+ZimeOuBuNLkZq8scEc4agz6c91ib+QJOxfUNKYtwVeK88aX6GT8rgjFj50i+OxVRdFIo8w/oAu7er9w0GicpIGWqnwtOIA91Aw2fe9BRVFX6CV61g==","WopiProofOld":"XNwBG9/HwBF1t/W1gn87RUnoKxNZ29Q3eEUTnyySPBHQPCuL9UFMh2OlMK7ENoWkWytbIkr5aOGWEGTrHVf6ffdP2RYEBKjb/5Bsiz428gCv83OMxfVyfPH0aOVboCxt1M29letHfS+665RuGkcKR7G36p8tFsS7MOlqH1dyl0snAHGjZvHbWtWRNo0SoXA1jGj0QmVc5+uex9NN6ij/cBYV/WLlYyU8sh2J+ZimeOuBuNLkZq8scEc4agz6c91ib+QJOxfUNKYtwVeK88aX6GT8rgjFj50i+OxVRdFIo8w/oAu7er9w0GicpIGWqnwtOIA91Aw2fe9BRVFX6CV61g==","WopiStamp":"638735640237770000","FileReference":"resource_id:{storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\"  opaque_id:\"L29jaXMub2R0\"  space_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"}  path:\".\"","ViewMode":"VIEW_MODE_VIEW_ONLY","Requester":"idp:\"https://ocis.owncloud.test\"  opaque_id:\"4c34b266-1dc3-4ee8-956b-edb89d312728\"  type:USER_TYPE_PRIMARY","FileReference":{"resource_id":{"storage_id":"89f37a33-858b-45fa-8890-a1f2b27d90e1","opaque_id":"L29jaXMub2R0","space_id":"3ef0f16b-87a6-4c6b-a0fd-71f748743edf"},"path":"."},"time":"2025-01-27T08:40:26Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/connector/contentconnector.go:100","message":"GetFile: start"}
{"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/3670a8147fa2f628d4e1d449f688f1867d5f44ec3f190267fa01ca5e7dcba206/contents","WopiSessionId":"","WopiOverride":"","WopiProof":"XNwBG9/HwBF1t/W1gn87RUnoKxNZ29Q3eEUTnyySPBHQPCuL9UFMh2OlMK7ENoWkWytbIkr5aOGWEGTrHVf6ffdP2RYEBKjb/5Bsiz428gCv83OMxfVyfPH0aOVboCxt1M29letHfS+665RuGkcKR7G36p8tFsS7MOlqH1dyl0snAHGjZvHbWtWRNo0SoXA1jGj0QmVc5+uex9NN6ij/cBYV/WLlYyU8sh2J+ZimeOuBuNLkZq8scEc4agz6c91ib+QJOxfUNKYtwVeK88aX6GT8rgjFj50i+OxVRdFIo8w/oAu7er9w0GicpIGWqnwtOIA91Aw2fe9BRVFX6CV61g==","WopiProofOld":"XNwBG9/HwBF1t/W1gn87RUnoKxNZ29Q3eEUTnyySPBHQPCuL9UFMh2OlMK7ENoWkWytbIkr5aOGWEGTrHVf6ffdP2RYEBKjb/5Bsiz428gCv83OMxfVyfPH0aOVboCxt1M29letHfS+665RuGkcKR7G36p8tFsS7MOlqH1dyl0snAHGjZvHbWtWRNo0SoXA1jGj0QmVc5+uex9NN6ij/cBYV/WLlYyU8sh2J+ZimeOuBuNLkZq8scEc4agz6c91ib+QJOxfUNKYtwVeK88aX6GT8rgjFj50i+OxVRdFIo8w/oAu7er9w0GicpIGWqnwtOIA91Aw2fe9BRVFX6CV61g==","WopiStamp":"638735640237770000","FileReference":"resource_id:{storage_id:\"89f37a33-858b-45fa-8890-a1f2b27d90e1\"  opaque_id:\"L29jaXMub2R0\"  space_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"}  path:\".\"","ViewMode":"VIEW_MODE_VIEW_ONLY","Requester":"idp:\"https://ocis.owncloud.test\"  opaque_id:\"4c34b266-1dc3-4ee8-956b-edb89d312728\"  type:USER_TYPE_PRIMARY","FileReference":{"resource_id":{"storage_id":"89f37a33-858b-45fa-8890-a1f2b27d90e1","opaque_id":"L29jaXMub2R0","space_id":"3ef0f16b-87a6-4c6b-a0fd-71f748743edf"},"path":"."},"Endpoint":"https://ocis.owncloud.test/data","HasDownloadToken":true,"HttpCode":500,"time":"2025-01-27T08:40:26Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/connector/contentconnector.go:176","message":"GetFile: downloading the file failed"}

ocis

2025-01-27 09:40:26 {"level":"info","service":"ocm","pkg":"rhttp","traceid":"f2ad3a53d6701b6620f869bb59cb0b88","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/http/interceptors/providerauthorizer/providerauthorizer.go:83","message":"skipping provider authorizer check for: /data/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$3ef0f16b-87a6-4c6b-a0fd-71f748743edf!L29jaXMub2R0"}
2025-01-27 09:40:26 {"level":"debug","service":"ocm","pkg":"rhttp","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/pkg/rhttp/rhttp.go:248","message":"http routing: head=data tail=/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$3ef0f16b-87a6-4c6b-a0fd-71f748743edf!L29jaXMub2R0 svc=data"}
2025-01-27 09:40:26 {"level":"debug","service":"ocm","pkg":"rhttp","traceid":"f2ad3a53d6701b6620f869bb59cb0b88","request-id":"b949be6ddce1/w6OCviHZym-001374","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/http/services/dataprovider/dataprovider.go:180","message":"dataprovider routing: path=/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$3ef0f16b-87a6-4c6b-a0fd-71f748743edf!L29jaXMub2R0"}
2025-01-27 09:40:26 {"level":"debug","service":"gateway","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","method":"/cs3.gateway.v1beta1.GatewayAPI/GetReceivedOCMShare","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/auth/auth.go:122","message":"skipping auth"}
2025-01-27 09:40:26 {"level":"debug","service":"gateway","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","scope":"resourceinfoScope","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/pkg/auth/scope/resourceinfo.go:105","message":"resource type assertion failed: ref:{id:{opaque_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"}}"}
2025-01-27 09:40:26 {"level":"debug","service":"ocm","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","scope":"resourceinfoScope","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/pkg/auth/scope/resourceinfo.go:105","message":"resource type assertion failed: ref:{id:{opaque_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"}}"}
2025-01-27 09:40:26 {"level":"warn","service":"ocm","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","error":"error: permission denied: access to resource ref:{id:{opaque_id:\"3ef0f16b-87a6-4c6b-a0fd-71f748743edf\"}} not allowed within the assigned scope","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/auth/auth.go:150","message":"access token is invalid"}
2025-01-27 09:40:26 {"level":"error","service":"ocm","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","user-agent":"Go-http-client/1.1","from":"tcp://127.0.0.1:58796","uri":"/cs3.sharing.ocm.v1beta1.OcmAPI/GetReceivedOCMShare","start":"27/Jan/2025:08:40:26 +0000","end":"27/Jan/2025:08:40:26 +0000","time_ns":325427,"code":"PermissionDenied","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/log/log.go:69","message":"rpc error: code = PermissionDenied desc = auth: core access token is invalid"}
2025-01-27 09:40:26 {"level":"error","service":"gateway","pkg":"rgrpc","traceid":"84e19063c57377806c045db76b4d9c38","user-agent":"Go-http-client/1.1","from":"tcp://172.19.0.2:52536","uri":"/cs3.gateway.v1beta1.GatewayAPI/GetReceivedOCMShare","start":"27/Jan/2025:08:40:26 +0000","end":"27/Jan/2025:08:40:26 +0000","time_ns":1320668,"code":"PermissionDenied","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/log/log.go:69","message":"gateway: error calling GetReceivedOCMShare: rpc error: code = PermissionDenied desc = auth: core access token is invalid"}
2025-01-27 09:40:26 {"level":"error","service":"ocm","pkg":"rhttp","datatx":"spaces","spaceid":"89f37a33-858b-45fa-8890-a1f2b27d90e1$3ef0f16b-87a6-4c6b-a0fd-71f748743edf!L29jaXMub2R0","path":"/","request-id":"b949be6ddce1/w6OCviHZym-001374","svc":"datatx","handler":"download","error":"rpc error: code = PermissionDenied desc = gateway: error calling GetReceivedOCMShare: rpc error: code = PermissionDenied desc = auth: core access token is invalid","action":"download","time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/pkg/rhttp/datatx/utils/download/download.go:279","message":"unexpected error"}
2025-01-27 09:40:26 {"level":"error","service":"ocm","pkg":"rhttp","traceid":"f2ad3a53d6701b6620f869bb59cb0b88","host":"127.0.0.1","method":"GET","uri":"/data/spaces/89f37a33-858b-45fa-8890-a1f2b27d90e1$3ef0f16b-87a6-4c6b-a0fd-71f748743edf%21L29jaXMub2R0","url":"/","proto":"HTTP/1.1","status":500,"size":0,"start":"27/Jan/2025:08:40:26 +0000","end":"27/Jan/2025:08:40:26 +0000","time_ns":2067557,"time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/http/interceptors/log/log.go:112","message":"http"}
2025-01-27 09:40:26 {"level":"error","service":"frontend","pkg":"rhttp","traceid":"d087790232cc6164ca206ffaa7646b6c","host":"127.0.0.1","method":"GET","uri":"/data","url":"/","proto":"HTTP/1.1","status":500,"size":0,"start":"27/Jan/2025:08:40:26 +0000","end":"27/Jan/2025:08:40:26 +0000","time_ns":2921068,"time":"2025-01-27T08:40:26Z","line":"github.com/cs3org/reva/[email protected]/internal/http/interceptors/log/log.go:112","message":"http"}

@jvillafanez
Copy link
Member

Should opaque_id be encoded?

I don't think so.

{
  "aud": [
    "reva"
  ],
  "exp": 1738060961,
  "iat": 1737974561,
  "user": {
    "id": {
      "opaque_id": "40aa4e06-2f4d-436b-90ac-ace47829f0e1",
      "type": 8
    },
    "display_name": "View Only user for blo"
  },
  "scope": {
    "resourceinfo:storage_id:\"a1047ed4-9dd9-4138-9ac8-6bd253de04c1\" opaque_id:\"2c9deb97-5233-4988-aa0d-bce43fd3e396\" space_id:\"40aa4e06-2f4d-436b-90ac-ace47829f0e1\"": {
      "resource": {
        "decoder": "json",
        "value": "eyJpZCI6eyJzdG9yYWdlSWQiOiJhMTA0N2VkNC05ZGQ5LTQxMzgtOWFjOC02YmQyNTNkZTA0YzEiLCJvcGFxdWVJZCI6IjJjOWRlYjk3LTUyMzMtNDk4OC1hYTBkLWJjZTQzZmQzZTM5NiIsInNwYWNlSWQiOiI0MGFhNGUwNi0yZjRkLTQzNmItOTBhYy1hY2U0NzgyOWYwZTEifSwicGF0aCI6IkRvY3VtZW50LmRvY3gifQ=="
      },
      "role": 3
    }
  }
}

That's the decoded view-only token for a local account.

@kobergj
Copy link
Collaborator Author

kobergj commented Jan 29, 2025

ViewOnly token seems to be the issue. Without it everything works fine. We need to find out why we need it and why it doesn't work for ocm.

@2403905
Copy link
Contributor

2403905 commented Jan 30, 2025
edited
Loading

If I understand correct, the ViewOnly token has been added as a part of the Secure view story https://github.com/cs3org/reva/pull/4686/files

Enhancement: mint view only token for open in app requests

When a view only mode is requested for open in app requests the gateway now mints a view only token scoped to the > requested resource.
This token can be used by trusted app providers to download the resource even if the user has no download permission.

#8769
#9068

@kobergj
Copy link
Collaborator Author

kobergj commented Jan 30, 2025

Ah. Maybe we have a misunderstanding here? view permission is different from secureview. We do not support secureview on ocm shares.

@kobergj kobergj mentioned this issue Jan 30, 2025
Open
@kobergj
Copy link
Collaborator Author

kobergj commented Jan 30, 2025

@jvillafanez could you have a look at cs3org/reva#5055?

Imo the check if there should be a SecureView token is wrong, but maybe I'm misunderstanding something?

@kobergj kobergj linked a pull request Jan 30, 2025 that will close this issue
Draft
@jvillafanez
Copy link
Member

As far as I understand the change, does it mean that if the user has permission to download the file, that user won't be able to request secure view?

Kind of side question: should the view-only token contain just a change in the user's scope or permission? I expect the user in the access token and the view-only token to be the same, but I'm not sure if this is the case.
It seems the user in the view-only token is the owner of the resource, so it's weird he doesn't have enough permissions to access the file. Are we using / setting a different user on reva's side?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@2403905 2403905

@kobergj kobergj

@bastianbeier bastianbeier

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Infinite Scale Team Board
Status: In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[full-ci] Bump Reva kobergj/ocis
6 participants
@jvillafanez @2403905 @kobergj @bastianbeier @wkloucek @saw-jan