Commit Graph

23295 Commits

Author SHA1 Message Date
Dominik Schmidt
407bb2bc70 refactor(graph): clearer colon-path anchor parsing, pin second-colon rule
parseColonPath split the anchor asymmetrically (root trimmed the delimiter
colon as part of a literal "/root:" prefix, item cut on it), and the root
branch's comment talked about the driveID which isn't this function's
concern. Split once at the first colon into anchor + rest, then classify
the anchor (exactly "/root", or "/items/{id}" with a single-segment id).
Same behavior, easier to follow.

Also add explicit coverage for the rule that a suffix requires a second
colon: "/root:/Documents/children" (no second colon) is the path
"/Documents/children", not the path "/Documents" with a "/children"
suffix. Two tests pin it end-to-end - it must route to the bare item (not
/items/{id}/children) and Stat must receive the full path.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
4b98022688 refactor(graph): parse colon paths with string ops instead of regexes
Review feedback: the two colon-syntax regexes were hard to read. Since the
middleware is scoped to /drives/{driveID}, the RoutePath it inspects is just
the sub-path (/root:/... or /items/{id}:/...), so a regex buys nothing.

Replace rootColonRe/itemColonRe (and the matchInto/extract helpers) with a
single parseColonPath that uses plain string operations
(HasPrefix/TrimPrefix/TrimSuffix/Cut), one commented step at a time.
Behavior is unchanged; the existing table tests (trailing colon, no suffix,
deep paths, multi-segment suffixes, item-anchored, encoded paths) still pass
and pin it.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
1f51bad9d1 refactor(graph): scope colon-path middleware to /drives/{driveID}
Addresses review feedback: a sub-router middleware can re-route after all,
as long as it rewrites chi.RouteContext().RoutePath instead of r.URL.Path.
Once chi has descended into a sub-router its routeHTTP matches against
rctx.RoutePath and ignores r.URL.Path, which is why the earlier top-level
registration was thought to be required.

Move ResolveGraphPath off the top-level mux.Use and attach it to the
/drives/{driveID} sub-routers (v1.0 + v1beta1). It now reads driveID from
chi.URLParam and matches against RoutePath (the part below the drive), so
the regexes drop the version + drive prefix entirely.

RoutePath carries the percent-encoded wire form (Graph.ServeHTTP sets
RawPath), so the captured driveID/itemID/path are PathUnescape'd exactly
once - reproducing the decoded r.URL.Path a normal handler would see,
without the previous RawPath/EscapedPath workaround. r.URL.Path is now
left untouched; only chi's internal RoutePath is rewritten.

Tests are reworked to drive requests through a chi router mirroring the
production nesting (including the Graph.ServeHTTP RawPath behavior), so
chi's sub-router middleware ordering, RoutePath encoding and param
round-trip are all covered indirectly: a chi upgrade that changes any of
them fails these tests instead of silently breaking colon-path lookups.
Adds explicit coverage for percent-decoding (%20, %252F) and the `$`/`!`
sub-delimiter id round-trip.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
8f51a4318a test(graph): pin chi URLParam round-trip for IDs with ! sub-delim
Codacy flagged the colon-path middleware comment claiming both `$`
and `!` need percent-encoding for chi's tree match, while the
implementation only calls r.URL.RawPath = r.URL.EscapedPath() which
does not encode either character per the suggestion's reading.

In practice EscapedPath does encode `!` as `%21` (only `?` is the
hardcoded escape, `!` is escaped because Go's net/url treats it as
needing encoding outside specific contexts). It leaves `$` literal,
which chi handles fine. chi.URLParam returns the encoded segment
verbatim, and downstream OpenCloud handlers (parseIDParam,
GetDriveAndItemIDParam) already PathUnescape before parsing IDs, so
the round-trip works end-to-end. The acceptance tests on this
branch already exercise this with real `$`/`!`-containing IDs.

Add a focused unit test that mounts the middleware behind chi,
sends a colon URL, and asserts the actual contract:
  - driveID (only `$`): chi.URLParam returns it literal
  - itemID (with `!`):  PathUnescape(chi.URLParam(...)) == original

Update the misleading comment so future readers (and reviewers) see
what the encoding actually does and which downstream contract it
relies on.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
3b42c6250d test(graph): acceptance tests for MS Graph colon-syntax path lookup
Cover the rewrite shapes the middleware handles end-to-end against a
real OpenCloud server: root-anchored, item-anchored, deep paths,
trailing colon, and the "/<path>:/<suffix>" sub-route form. Also
assert that NOT_FOUND and PERMISSION_DENIED both collapse to 404.

The /permissions sub-route is registered only at /v1beta1, and the
v1beta1 GetDriveItem handler is share-jail-only, so the v1beta1
mount of the middleware is exercised through the permissions
scenario, since there is no other v1beta1 endpoint that works for
regular personal-drive items.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
6343f7e861 refactor(graph): drop MS Graph framing from colon-path middleware logs 2026-07-01 17:44:31 +02:00
Dominik Schmidt
7498e8f848 fix(graph): map UNAUTHENTICATED to 401, validate drive/item id pair
Three more Copilot review nits on the colon-syntax middleware:

- CS3 Stat returning UNAUTHENTICATED now surfaces as HTTP 401 (was 500
  via the default-case fallback). Distinct sentinel + handler branch.
- Item-anchored form (/drives/{driveID}/items/{itemID}:/...) now
  validates that driveID's storage/space prefix matches the itemID's,
  short-circuiting to 400 InvalidRequest on mismatch instead of doing
  a CS3 Stat that would only fail at the handler layer.
- ParseID failures on the anchor id now surface as 400 (was 404). In
  practice this branch is defensive — storagespace.ParseID is lenient
  and only errors on empty input, which the regex already filters out
  — but the right semantic for malformed client input is 400, not 404.

Tests: added two new cases (UNAUTHENTICATED → 401, drive/item id
mismatch → 400). The "malformed drive id" case Copilot suggested
isn't reachable in practice given ParseID's leniency, so it's not
covered.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
e49959b833 fix(graph): preserve RawPath workaround + use NopLogger in tests
Two follow-up Copilot review nits on the colon-syntax middleware:

- Don't blank r.URL.RawPath after the rewrite. Graph.ServeHTTP sets
  RawPath = EscapedPath() as a workaround for chi's parameter-binding
  quirks with `$`/`!` in IDs (see go-chi/chi#641). Clearing RawPath
  for rewritten requests negates that workaround. Re-establish the
  same invariant after the rewrite.

- Tests previously used log.NewLogger(), which mutates global zerolog
  state. Switch to log.NopLogger() — order-independent, no global
  side effects.
2026-07-01 17:44:31 +02:00
Dominik Schmidt
f31e50381f fix(graph): address Copilot review feedback on path lookup middleware
- Drop double-decoding of URL path components. r.URL.Path is already
  decoded by net/http; calling url.PathUnescape again would let crafted
  inputs like "%252F" become "/", changing path semantics. Path and
  anchor-id strings now go straight to utils.MakeRelativePath /
  storagespace.ParseID.
- Distinguish operational errors from "not found". Gateway selection
  failure, RPC transport errors, and unexpected CS3 status codes now
  surface as 500 (don't mask outages); only NOT_FOUND and PERMISSION_DENIED
  collapse to 404 (no existence disclosure). Implemented via a sentinel
  errPathNotFound + a 500 fall-through.
- Refactor the two regex-handling branches in rewriteColonPath to share a
  resolution path via a small colonMatch struct + matchInto/extract helpers.
  Removes the SonarCloud duplication finding without changing behavior.
- Update the docstring on ResolveGraphPath to reflect that the rewrite
  preserves the requested API version (/{version}/...) rather than
  hard-coding /v1beta1/...
- Test cleanup: register t.Cleanup to remove the per-subtest selector
  entry from pool's global selectors map after the subtest, and update
  the "unexpected status" case to expect 500 (matches the new error
  semantics).
2026-07-01 17:44:31 +02:00
Dominik Schmidt
0b373817a8 feat(graph): add MS Graph colon-syntax path lookup middleware
Adds a chi middleware that detects MS Graph colon-syntax URLs and rewrites
them to the canonical /items/{itemID}/... form before chi performs route
matching. Existing handlers, routes, and GetDriveAndItemIDParam stay
unchanged.

Two URL shapes are recognized at both /v1.0 and /v1beta1:

  /drives/{driveID}/root:/<path>[:/<suffix>][:]
  /drives/{driveID}/items/{itemID}:/<relativePath>[:/<suffix>][:]

Path resolution runs as the request user via CS3 Stat. Both NOT_FOUND and
PERMISSION_DENIED collapse to a 404 response so existence isn't disclosed
to unauthorized callers. URLs without colon syntax fast-path through with
a single substring check. The original URL is stashed in request context
under OriginalPathContextKey for downstream tracing/logging.

The middleware is registered as a top-level mux.Use so it runs before any
route matching: chi middleware on a sub-router runs after the prefix is
matched but cannot redirect to a different leaf route. Top-level
middleware lets URL rewriting actually re-route the request.

Tests cover regex matching across versions, all rewrite variants
(root/items anchored, with/without suffix, with/without trailing colon,
deep paths), NOT_FOUND -> 404, PERMISSION_DENIED -> 404 (security: no
existence disclosure), and original-URL preservation in request context.
2026-07-01 17:44:31 +02:00
Alex
93fb9cbf6c feat: adjust theme chrome colors and logos (#2599) 2026-07-01 13:20:39 +02:00
dependabot[bot]
e599fa57aa build(deps): bump github.com/jellydator/ttlcache/v3 from 3.4.0 to 3.4.1
Bumps [github.com/jellydator/ttlcache/v3](https://github.com/jellydator/ttlcache) from 3.4.0 to 3.4.1.
- [Release notes](https://github.com/jellydator/ttlcache/releases)
- [Commits](https://github.com/jellydator/ttlcache/compare/v3.4.0...v3.4.1)

---
updated-dependencies:
- dependency-name: github.com/jellydator/ttlcache/v3
  dependency-version: 3.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 09:57:45 +02:00
dependabot[bot]
00ec9a8898 build(deps): bump go.etcd.io/bbolt from 1.4.3 to 1.5.0
Bumps [go.etcd.io/bbolt](https://github.com/etcd-io/bbolt) from 1.4.3 to 1.5.0.
- [Release notes](https://github.com/etcd-io/bbolt/releases)
- [Commits](https://github.com/etcd-io/bbolt/compare/v1.4.3...v1.5.0)

---
updated-dependencies:
- dependency-name: go.etcd.io/bbolt
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 09:56:17 +02:00
Ralf Haferkamp
22485957fe chore: bump version in license-checker clarifications 2026-06-30 18:10:16 +02:00
dependabot[bot]
06c7d6d7af build(deps-dev): bump i18next-conv in /services/idp
Bumps [i18next-conv](https://github.com/i18next/i18next-gettext-converter) from 15.1.2 to 17.0.0.
- [Release notes](https://github.com/i18next/i18next-gettext-converter/releases)
- [Changelog](https://github.com/i18next/i18next-gettext-converter/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/i18next-gettext-converter/compare/v15.1.2...v17.0.0)

---
updated-dependencies:
- dependency-name: i18next-conv
  dependency-version: 17.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-30 18:10:16 +02:00
opencloudeu
858f03fde4 [tx] updated from transifex 2026-06-29 23:16:21 +00:00
Michael Stingl
ea29a5d1a4 test(apiSpaces): a space admin can delete a space with no manager (#3040)
#1877 reordered the api-test teardown to delete spaces before users, so the
state where a project space's manager has been deleted is no longer exercised.
This adds explicit coverage for it: the only manager of a project space is
deleted, and a space admin can still list and delete (disable + purge) the space.

Related: #1878
2026-06-29 10:00:44 +02:00
Jannik Stehle
012d817288 Merge pull request #3019 from opencloud-eu/chore/bump-web-skill
chore(skills): add skill for bumping web
2026-06-29 09:52:36 +02:00
Ralf Haferkamp
ab7cf4655a Merge pull request #3023 from opencloud-eu/dependabot/go_modules/github.com/testcontainers/testcontainers-go/modules/opensearch-0.43.0
build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.42.0 to 0.43.0
2026-06-26 12:53:53 +02:00
Ralf Haferkamp
9318001dcc Merge pull request #3024 from opencloud-eu/dependabot/go_modules/go.opentelemetry.io/contrib/zpages-0.69.0
build(deps): bump go.opentelemetry.io/contrib/zpages from 0.68.0 to 0.69.0
2026-06-26 11:37:38 +02:00
Ralf Haferkamp
a7b57ccfc2 Merge pull request #3022 from opencloud-eu/dependabot/go_modules/github.com/onsi/ginkgo/v2-2.32.0
build(deps): bump github.com/onsi/ginkgo/v2 from 2.31.0 to 2.32.0
2026-06-26 09:19:09 +02:00
Ralf Haferkamp
6300c99924 Merge pull request #3025 from rhafer/bump-reva
chore: switch reva back from fork
2026-06-26 09:17:42 +02:00
Benedikt Kulmann
701aa28b22 Merge pull request #3001 from fschade/collaboration-optinal-events
fix: make the collaboration service events optional
2026-06-26 08:38:42 +02:00
Ralf Haferkamp
b9a945c5b9 chore: switch reva back from fork 2026-06-25 17:25:56 +02:00
dependabot[bot]
a06ad04701 build(deps): bump github.com/onsi/ginkgo/v2 from 2.31.0 to 2.32.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.31.0 to 2.32.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.31.0...v2.32.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-25 14:58:01 +00:00
Ralf Haferkamp
ca3757152f Merge pull request #2889 from rhafer/reva-655
Update tests for opencloud-eu/reva#655
2026-06-25 16:55:18 +02:00
dependabot[bot]
c23a439332 build(deps): bump go.opentelemetry.io/contrib/zpages
Bumps [go.opentelemetry.io/contrib/zpages](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.68.0 to 0.69.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.68.0...zpages/v0.69.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/contrib/zpages
  dependency-version: 0.69.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-25 14:44:38 +00:00
dependabot[bot]
0a4741e4df build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch
Bumps [github.com/testcontainers/testcontainers-go/modules/opensearch](https://github.com/testcontainers/testcontainers-go) from 0.42.0 to 0.43.0.
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](https://github.com/testcontainers/testcontainers-go/compare/v0.42.0...v0.43.0)

---
updated-dependencies:
- dependency-name: github.com/testcontainers/testcontainers-go/modules/opensearch
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-25 14:44:19 +00:00
Michael Stingl
a3951098c6 test(coreApiWebdavUploadTUS): expect 400 for invalid TUS upload names
opencloud-eu/reva#655 changes the TUS create response for an invalid name
from 412 to 400. Update the invalid-name scenario to match.

Each example now carries its own expected status in an <http-status-code>
column. Names that fail ValidateName expect 400. The three folder/file rows
stay 412: filename() applies path.Base first, so "folder/file" becomes the
valid leaf "file" and never reaches the changed branch.

lowLevelCreationExtension.feature is unchanged; its missing-Upload-Length
case still returns 412.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 16:11:25 +02:00
Ralf Haferkamp
868d61a839 bump reva to fork for adjusting tests 2026-06-25 16:11:22 +02:00
Jannik Stehle
8cb4465e8a chore(skills): add skill for bumping web
Add a skill that let's agents bump web to a specified version, commit
the changes and create a PR for it. The user invokes the skill via e.g.
"bump web to v7.0.0".
2026-06-25 10:42:25 +02:00
Benedikt Kulmann
de5257ece9 fix: add warning to log if events endpoint unconfigured 2026-06-25 10:12:05 +02:00
Ralf Haferkamp
29d004b22d Merge pull request #3015 from opencloud-eu/dependabot/go_modules/github.com/gookit/config/v2-2.2.8
build(deps): bump github.com/gookit/config/v2 from 2.2.7 to 2.2.8
2026-06-25 08:48:01 +02:00
Ralf Haferkamp
716287cb2e Merge pull request #3013 from opencloud-eu/dependabot/go_modules/github.com/onsi/gomega-1.42.1
build(deps): bump github.com/onsi/gomega from 1.40.0 to 1.42.1
2026-06-25 08:17:42 +02:00
Ralf Haferkamp
3e9b54eb0d Merge pull request #2957 from opencloud-eu/dependabot/go_modules/golang.org/x/net-0.56.0
build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0
2026-06-25 08:17:11 +02:00
dependabot[bot]
261540ad42 build(deps): bump github.com/gookit/config/v2 from 2.2.7 to 2.2.8
Bumps [github.com/gookit/config/v2](https://github.com/gookit/config) from 2.2.7 to 2.2.8.
- [Release notes](https://github.com/gookit/config/releases)
- [Commits](https://github.com/gookit/config/compare/v2.2.7...v2.2.8)

---
updated-dependencies:
- dependency-name: github.com/gookit/config/v2
  dependency-version: 2.2.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 14:44:07 +00:00
dependabot[bot]
5abfaabae6 build(deps): bump github.com/onsi/gomega from 1.40.0 to 1.42.1
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.40.0 to 1.42.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.40.0...v1.42.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 14:43:40 +00:00
Ralf Haferkamp
c1278f4b99 Merge pull request #3006 from opencloud-eu/dependabot/go_modules/github.com/tus/tusd/v2-2.10.0
build(deps): bump github.com/tus/tusd/v2 from 2.9.2 to 2.10.0
2026-06-24 12:14:13 +02:00
Ralf Haferkamp
b486a72021 Merge pull request #3007 from opencloud-eu/dependabot/go_modules/github.com/coreos/go-oidc/v3-3.19.0
build(deps): bump github.com/coreos/go-oidc/v3 from 3.18.0 to 3.19.0
2026-06-24 12:12:03 +02:00
Viktor Scharf
5c4a6603b9 api-test: deleting space (#2970)
* api-test: deleting space

* Update feature file for space management actions

* Update disableEnableDeleteSpaces.feature
2026-06-24 12:05:40 +02:00
dependabot[bot]
ef203cb2db build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0.
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 08:45:01 +00:00
Ralf Haferkamp
c361da5c9d Merge pull request #2968 from opencloud-eu/dependabot/go_modules/github.com/nats-io/nats.go-1.52.0
build(deps): bump github.com/nats-io/nats.go from 1.51.0 to 1.52.0
2026-06-24 10:42:51 +02:00
Ralf Haferkamp
ca6ef15294 Merge pull request #2917 from opencloud-eu/dependabot/npm_and_yarn/services/idp/react-i18next-17.0.8
build(deps): bump react-i18next from 15.7.4 to 17.0.8 in /services/idp
2026-06-24 10:40:34 +02:00
Florian Schade
435b446a6a fix: make the collaboration service events optional 2026-06-23 17:31:39 +02:00
dependabot[bot]
f4120ad602 build(deps): bump github.com/coreos/go-oidc/v3 from 3.18.0 to 3.19.0
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.18.0 to 3.19.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](https://github.com/coreos/go-oidc/compare/v3.18.0...v3.19.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-version: 3.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-23 14:44:03 +00:00
dependabot[bot]
5e27a7023a build(deps): bump github.com/tus/tusd/v2 from 2.9.2 to 2.10.0
Bumps [github.com/tus/tusd/v2](https://github.com/tus/tusd) from 2.9.2 to 2.10.0.
- [Release notes](https://github.com/tus/tusd/releases)
- [Commits](https://github.com/tus/tusd/compare/v2.9.2...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/tus/tusd/v2
  dependency-version: 2.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-23 14:43:53 +00:00
Ralf Haferkamp
8cd085914a Merge pull request #2954 from opencloud-eu/dependabot/go_modules/go.opentelemetry.io/otel/exporters/stdout/stdouttrace-1.44.0
build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.43.0 to 1.44.0
2026-06-23 12:32:48 +02:00
Ralf Haferkamp
a4629d5fb4 Merge pull request #3002 from rhafer/bump-js
chore: bump a couple of depencies to close dependabot alerts
2026-06-23 10:26:53 +02:00
Ralf Haferkamp
3b791e2e61 chore: bump a couple of depencies to close dependabot alerts 2026-06-23 09:07:30 +02:00
Ralf Haferkamp
7c70c67e30 Merge pull request #2980 from aduffeck/fix-name-attr-mismatches
Extend the posixfs consistency command to fix name attr mismatches
2026-06-22 12:15:12 +02:00