Merge pull request #22731 from owncloud/hide-nodes-from-listening

Hides nodes from listing that the user has no access to
This commit is contained in:
Thomas Müller 2016-03-01 09:22:08 +01:00
commit 25a4571dcd
8 changed files with 499 additions and 3 deletions

View File

@ -21,10 +21,10 @@
namespace OCA\DAV\Connector;
use OCA\DAV\Connector\Sabre\DavAclPlugin;
use Sabre\HTTP\URLUtil;
class LegacyDAVACL extends \Sabre\DAVACL\Plugin {
class LegacyDAVACL extends DavAclPlugin {
/**
* Converts the v1 principal `principal/<username>` to the new v2

View File

@ -0,0 +1,72 @@
<?php
/**
* @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\DAV\Connector\Sabre;
use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\IFile;
use Sabre\DAV\INode;
use \Sabre\DAV\PropFind;
use \Sabre\DAV\PropPatch;
use Sabre\DAVACL\Exception\NeedPrivileges;
use \Sabre\HTTP\RequestInterface;
use \Sabre\HTTP\ResponseInterface;
use Sabre\HTTP\URLUtil;
/**
* Class DavAclPlugin is a wrapper around \Sabre\DAVACL\Plugin that returns 404
* responses in case the resource to a response has been forbidden instead of
* a 403. This is used to prevent enumeration of valid resources.
*
* @see https://github.com/owncloud/core/issues/22578
* @package OCA\DAV\Connector\Sabre
*/
class DavAclPlugin extends \Sabre\DAVACL\Plugin {
public function __construct() {
$this->hideNodesFromListings = true;
}
function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) {
$access = parent::checkPrivileges($uri, $privileges, $recursion, false);
if($access === false) {
/** @var INode $node */
$node = $this->server->tree->getNodeForPath($uri);
switch(get_class($node)) {
case 'OCA\DAV\CardDAV\AddressBook':
$type = 'Addressbook';
break;
default:
$type = 'Node';
break;
}
throw new NotFound(
sprintf(
"%s with name '%s' could not be found",
$type,
$node->getName()
)
);
}
return $access;
}
}

View File

@ -26,6 +26,7 @@ use OCA\DAV\CalDAV\Schedule\IMipPlugin;
use OCA\DAV\Connector\FedAuth;
use OCA\DAV\Connector\Sabre\Auth;
use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
use OCA\DAV\Connector\Sabre\DavAclPlugin;
use OCA\DAV\Connector\Sabre\FilesPlugin;
use OCA\DAV\Files\CustomPropertiesBackend;
use OCP\IRequest;
@ -72,7 +73,7 @@ class Server {
$this->server->addPlugin(new \Sabre\DAV\Sync\Plugin());
// acl
$acl = new \Sabre\DAVACL\Plugin();
$acl = new DavAclPlugin();
$acl->defaultUsernamePath = 'principals/users';
$this->server->addPlugin($acl);

View File

@ -16,6 +16,10 @@ default:
baseUrl: http://localhost:8080
- TagsContext:
baseUrl: http://localhost:8080
- CardDavContext:
baseUrl: http://localhost:8080
- CalDavContext:
baseUrl: http://localhost:8080
federation:
paths:
- %paths.base%/../federation_features

View File

@ -0,0 +1,172 @@
<?php
/**
* @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
require __DIR__ . '/../../vendor/autoload.php';
use GuzzleHttp\Client;
use GuzzleHttp\Message\ResponseInterface;
class CalDavContext implements \Behat\Behat\Context\Context {
/** @var string */
private $baseUrl;
/** @var Client */
private $client;
/** @var ResponseInterface */
private $response;
/** @var string */
private $responseXml = '';
/**
* @param string $baseUrl
*/
public function __construct($baseUrl) {
$this->baseUrl = $baseUrl;
// in case of ci deployment we take the server url from the environment
$testServerUrl = getenv('TEST_SERVER_URL');
if ($testServerUrl !== false) {
$this->baseUrl = substr($testServerUrl, 0, -5);
}
}
/** @BeforeScenario */
public function tearUpScenario() {
$this->client = new Client();
$this->responseXml = '';
}
/** @AfterScenario */
public function afterScenario() {
$davUrl = $this->baseUrl. '/remote.php/dav/calendars/admin/MyCalendar';
try {
$this->client->delete(
$davUrl,
[
'auth' => [
'admin',
'admin',
],
]
);
} catch (\GuzzleHttp\Exception\ClientException $e) {}
}
/**
* @When :user requests calendar :calendar
*/
public function requestsCalendar($user, $calendar) {
$davUrl = $this->baseUrl . '/remote.php/dav/calendars/'.$calendar;
$password = ($user === 'admin') ? 'admin' : '123456';
try {
$this->response = $this->client->get(
$davUrl,
[
'auth' => [
$user,
$password,
]
]
);
} catch (\GuzzleHttp\Exception\ClientException $e) {
$this->response = $e->getResponse();
}
}
/**
* @Then The CalDAV HTTP status code should be :code
*/
public function theCaldavHttpStatusCodeShouldBe($code) {
if((int)$code !== $this->response->getStatusCode()) {
throw new \Exception(
sprintf(
'Expected %s got %s',
(int)$code,
$this->response->getStatusCode()
)
);
}
$body = $this->response->getBody()->getContents();
if($body && substr($body, 0, 1) === '<') {
$reader = new Sabre\Xml\Reader();
$reader->xml($body);
$this->responseXml = $reader->parse();
}
}
/**
* @Then The exception is :message
*/
public function theExceptionIs($message) {
$result = $this->responseXml['value'][0]['value'];
if($message !== $result) {
throw new \Exception(
sprintf(
'Expected %s got %s',
$message,
$result
)
);
}
}
/**
* @Then The error message is :message
*/
public function theErrorMessageIs($message) {
$result = $this->responseXml['value'][1]['value'];
if($message !== $result) {
throw new \Exception(
sprintf(
'Expected %s got %s',
$message,
$result
)
);
}
}
/**
* @Given :user creates a calendar named :name
*/
public function createsACalendarNamed($user, $name) {
$davUrl = $this->baseUrl . '/remote.php/dav/calendars/'.$user.'/'.$name;
$password = ($user === 'admin') ? 'admin' : '123456';
$request = $this->client->createRequest(
'MKCALENDAR',
$davUrl,
[
'body' => '<c:mkcalendar xmlns:c="urn:ietf:params:xml:ns:caldav" xmlns:d="DAV:" xmlns:a="http://apple.com/ns/ical/" xmlns:o="http://owncloud.org/ns"><d:set><d:prop><d:displayname>test</d:displayname><o:calendar-enabled>1</o:calendar-enabled><a:calendar-color>#21213D</a:calendar-color><c:supported-calendar-component-set><c:comp name="VEVENT"/></c:supported-calendar-component-set></d:prop></d:set></c:mkcalendar>',
'auth' => [
$user,
$password,
],
]
);
$this->response = $this->client->send($request);
}
}

View File

@ -0,0 +1,193 @@
<?php
/**
* @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
require __DIR__ . '/../../vendor/autoload.php';
use GuzzleHttp\Client;
use GuzzleHttp\Message\ResponseInterface;
class CardDavContext implements \Behat\Behat\Context\Context {
/** @var string */
private $baseUrl;
/** @var Client */
private $client;
/** @var ResponseInterface */
private $response;
/** @var string */
private $responseXml = '';
/**
* @param string $baseUrl
*/
public function __construct($baseUrl) {
$this->baseUrl = $baseUrl;
// in case of ci deployment we take the server url from the environment
$testServerUrl = getenv('TEST_SERVER_URL');
if ($testServerUrl !== false) {
$this->baseUrl = substr($testServerUrl, 0, -5);
}
}
/** @BeforeScenario */
public function tearUpScenario() {
$this->client = new Client();
$this->responseXml = '';
}
/** @AfterScenario */
public function afterScenario() {
$davUrl = $this->baseUrl . '/remote.php/dav/addressbooks/users/admin/MyAddressbook';
try {
$this->client->delete(
$davUrl,
[
'auth' => [
'admin',
'admin',
],
]
);
} catch (\GuzzleHttp\Exception\ClientException $e) {}
}
/**
* @When :user requests addressbook :addressBook with statuscode :statusCode
*/
public function requestsAddressbookWithStatuscode($user, $addressBook, $statusCode) {
$davUrl = $this->baseUrl . '/remote.php/dav/addressbooks/users/'.$addressBook;
$password = ($user === 'admin') ? 'admin' : '123456';
try {
$this->response = $this->client->get(
$davUrl,
[
'auth' => [
$user,
$password,
],
]
);
} catch (\GuzzleHttp\Exception\ClientException $e) {
$this->response = $e->getResponse();
}
if((int)$statusCode !== $this->response->getStatusCode()) {
throw new \Exception(
sprintf(
'Expected %s got %s',
(int)$statusCode,
$this->response->getStatusCode()
)
);
}
$body = $this->response->getBody()->getContents();
if(substr($body, 0, 1) === '<') {
$reader = new Sabre\Xml\Reader();
$reader->xml($body);
$this->responseXml = $reader->parse();
}
}
/**
* @Given :user creates an addressbook named :addressBook with statuscode :statusCode
*/
public function createsAnAddressbookNamedWithStatuscode($user, $addressBook, $statusCode) {
$davUrl = $this->baseUrl . '/remote.php/dav/addressbooks/users/'.$user.'/'.$addressBook;
$password = ($user === 'admin') ? 'admin' : '123456';
$request = $this->client->createRequest(
'MKCOL',
$davUrl,
[
'body' => '<d:mkcol xmlns:c="urn:ietf:params:xml:ns:caldav"
xmlns:card="urn:ietf:params:xml:ns:carddav"
xmlns:cs="http://calendarserver.org/ns/"
xmlns:d="DAV:">
<d:set>
<d:prop>
<d:resourcetype>
<d:collection />,<card:addressbook />
</d:resourcetype>,<d:displayname>'.$addressBook.'</d:displayname>
</d:prop>
</d:set>
</d:mkcol>',
'auth' => [
$user,
$password,
],
'headers' => [
'Content-Type' => 'application/xml;charset=UTF-8',
],
]
);
$this->response = $this->client->send($request);
if($this->response->getStatusCode() !== (int)$statusCode) {
throw new \Exception(
sprintf(
'Expected %s got %s',
(int)$statusCode,
$this->response->getStatusCode()
)
);
}
}
/**
* @When The CardDAV exception is :message
*/
public function theCarddavExceptionIs($message) {
$result = $this->responseXml['value'][0]['value'];
if($message !== $result) {
throw new \Exception(
sprintf(
'Expected %s got %s',
$message,
$result
)
);
}
}
/**
* @When The CardDAV error message is :arg1
*/
public function theCarddavErrorMessageIs($message) {
$result = $this->responseXml['value'][1]['value'];
if($message !== $result) {
throw new \Exception(
sprintf(
'Expected %s got %s',
$message,
$result
)
);
}
}
}

View File

@ -0,0 +1,31 @@
Feature: caldav
Scenario: Accessing a not existing calendar of another user
Given user "user0" exists
When "admin" requests calendar "user0/MyCalendar"
Then The CalDAV HTTP status code should be "404"
And The exception is "Sabre\DAV\Exception\NotFound"
And The error message is "Node with name 'MyCalendar' could not be found"
# Blocked by https://github.com/php/php-src/pull/1417
#Scenario: Accessing a not shared calendar of another user
# Given user "user0" exists
# Given "admin" creates a calendar named "MyCalendar"
# Given The CalDAV HTTP status code should be "201"
# When "user0" requests calendar "admin/MyCalendar"
# Then The CalDAV HTTP status code should be "404"
# And The exception is "Sabre\DAV\Exception\NotFound"
# And The error message is "Node with name 'MyCalendar' could not be found"
Scenario: Accessing a not existing calendar of myself
Given user "user0" exists
When "user0" requests calendar "admin/MyCalendar"
Then The CalDAV HTTP status code should be "404"
And The exception is "Sabre\DAV\Exception\NotFound"
And The error message is "Node with name 'MyCalendar' could not be found"
# Blocked by https://github.com/php/php-src/pull/1417
#Scenario: Creating a new calendar
# When "admin" creates a calendar named "MyCalendar"
# Then The CalDAV HTTP status code should be "201"
# And "admin" requests calendar "admin/MyCalendar"
# Then The CalDAV HTTP status code should be "200"

View File

@ -0,0 +1,23 @@
Feature: carddav
Scenario: Accessing a not existing addressbook of another user
Given user "user0" exists
When "admin" requests addressbook "user0/MyAddressbook" with statuscode "404"
And The CardDAV exception is "Sabre\DAV\Exception\NotFound"
And The CardDAV error message is "Addressbook with name 'MyAddressbook' could not be found"
Scenario: Accessing a not shared addressbook of another user
Given user "user0" exists
Given "admin" creates an addressbook named "MyAddressbook" with statuscode "201"
When "user0" requests addressbook "admin/MyAddressbook" with statuscode "404"
And The CardDAV exception is "Sabre\DAV\Exception\NotFound"
And The CardDAV error message is "Addressbook with name 'MyAddressbook' could not be found"
Scenario: Accessing a not existing addressbook of myself
Given user "user0" exists
When "user0" requests addressbook "admin/MyAddressbook" with statuscode "404"
And The CardDAV exception is "Sabre\DAV\Exception\NotFound"
And The CardDAV error message is "Addressbook with name 'MyAddressbook' could not be found"
Scenario: Creating a new addressbook
When "admin" creates an addressbook named "MyAddressbook" with statuscode "201"
Then "admin" requests addressbook "admin/MyAddressbook" with statuscode "200"