From 7210852f075085ab2d678f9554125dedc7e3a310 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Wed, 27 Nov 2019 13:59:34 +0100
Subject: [PATCH] allow user flows when the acting user is legitimate, but not
 its owner

for instance, when a sharee changes a file, the owner can act upon

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
---
 .../lib/AppInfo/Application.php               |  3 +
 apps/workflowengine/lib/Entity/File.php       | 96 ++++++++++++++-----
 apps/workflowengine/lib/Manager.php           | 26 +++++
 .../lib/Service/RuleMatcher.php               | 48 +++++++++-
 lib/public/WorkflowEngine/IEntity.php         |  8 ++
 lib/public/WorkflowEngine/IRuleMatcher.php    | 31 ++++++
 6 files changed, 183 insertions(+), 29 deletions(-)

diff --git a/apps/workflowengine/lib/AppInfo/Application.php b/apps/workflowengine/lib/AppInfo/Application.php
index a654c87d2e..933d0cb754 100644
--- a/apps/workflowengine/lib/AppInfo/Application.php
+++ b/apps/workflowengine/lib/AppInfo/Application.php
@@ -98,6 +98,9 @@ class Application extends \OCP\AppFramework\App {
 								/** @var IOperation $operation */
 								$operation = $this->getContainer()->query($operationClass);
 
+								$ruleMatcher->setEntity($entity);
+								$ruleMatcher->setOperation($operation);
+
 								if ($event instanceof Event) {
 									$entity->prepareRuleMatcher($ruleMatcher, $eventName, $event);
 									$operation->onEvent($eventName, $event, $ruleMatcher);
diff --git a/apps/workflowengine/lib/Entity/File.php b/apps/workflowengine/lib/Entity/File.php
index a9d71d5f8c..5192100c2c 100644
--- a/apps/workflowengine/lib/Entity/File.php
+++ b/apps/workflowengine/lib/Entity/File.php
@@ -24,17 +24,19 @@ declare(strict_types=1);
 
 namespace OCA\WorkflowEngine\Entity;
 
-use OCA\WorkflowEngine\AppInfo\Application;
 use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\GenericEvent;
 use OCP\Files\IRootFolder;
+use OCP\Files\Node;
+use OCP\Files\NotFoundException;
 use OCP\IL10N;
 use OCP\ILogger;
 use OCP\IURLGenerator;
+use OCP\Share\IManager as ShareManager;
 use OCP\SystemTag\MapperEvent;
 use OCP\WorkflowEngine\GenericEntityEvent;
 use OCP\WorkflowEngine\IEntity;
 use OCP\WorkflowEngine\IRuleMatcher;
-use Symfony\Component\EventDispatcher\GenericEvent;
 
 class File implements IEntity {
 
@@ -46,12 +48,27 @@ class File implements IEntity {
 	protected $root;
 	/** @var ILogger */
 	protected $logger;
+	/** @var string */
+	protected $eventName;
+	/** @var Event */
+	protected $event;
+	/** @var ShareManager */
+	private $shareManager;
 
-	public function __construct(IL10N $l10n, IURLGenerator $urlGenerator, IRootFolder $root, ILogger $logger) {
+	private const EVENT_NAMESPACE = '\OCP\Files::';
+
+	public function __construct(
+		IL10N $l10n,
+		IURLGenerator $urlGenerator,
+		IRootFolder $root,
+		ILogger $logger,
+		ShareManager $shareManager
+	) {
 		$this->l10n = $l10n;
 		$this->urlGenerator = $urlGenerator;
 		$this->root = $root;
 		$this->logger = $logger;
+		$this->shareManager = $shareManager;
 	}
 
 	public function getName(): string {
@@ -63,14 +80,13 @@ class File implements IEntity {
 	}
 
 	public function getEvents(): array {
-		$namespace = '\OCP\Files::';
 		return [
-			new GenericEntityEvent($this->l10n->t('File created'), $namespace . 'postCreate'),
-			new GenericEntityEvent($this->l10n->t('File updated'), $namespace . 'postWrite'),
-			new GenericEntityEvent($this->l10n->t('File renamed'), $namespace . 'postRename'),
-			new GenericEntityEvent($this->l10n->t('File deleted'), $namespace . 'postDelete'),
-			new GenericEntityEvent($this->l10n->t('File accessed'), $namespace . 'postTouch'),
-			new GenericEntityEvent($this->l10n->t('File copied'), $namespace . 'postCopy'),
+			new GenericEntityEvent($this->l10n->t('File created'), self::EVENT_NAMESPACE . 'postCreate'),
+			new GenericEntityEvent($this->l10n->t('File updated'), self::EVENT_NAMESPACE . 'postWrite'),
+			new GenericEntityEvent($this->l10n->t('File renamed'), self::EVENT_NAMESPACE . 'postRename'),
+			new GenericEntityEvent($this->l10n->t('File deleted'), self::EVENT_NAMESPACE . 'postDelete'),
+			new GenericEntityEvent($this->l10n->t('File accessed'), self::EVENT_NAMESPACE . 'postTouch'),
+			new GenericEntityEvent($this->l10n->t('File copied'), self::EVENT_NAMESPACE . 'postCopy'),
 			new GenericEntityEvent($this->l10n->t('Tag assigned'), MapperEvent::EVENT_ASSIGN),
 		];
 	}
@@ -79,27 +95,55 @@ class File implements IEntity {
 		if (!$event instanceof GenericEvent && !$event instanceof MapperEvent) {
 			return;
 		}
-		switch ($eventName) {
-			case 'postCreate':
-			case 'postWrite':
-			case 'postDelete':
-			case 'postTouch':
-				$ruleMatcher->setEntitySubject($this, $event->getSubject());
-				break;
-			case 'postRename':
-			case 'postCopy':
-				$ruleMatcher->setEntitySubject($this, $event->getSubject()[1]);
-				break;
+		$this->eventName = $eventName;
+		$this->event = $event;
+		try {
+			$node = $this->getNode();
+			$ruleMatcher->setEntitySubject($this, $node);
+		} catch (NotFoundException $e) {
+			// pass
+		}
+	}
+
+	public function isLegitimatedForUserId(string $uid): bool {
+		try {
+			$node = $this->getNode();
+			if($node->getOwner()->getUID() === $uid) {
+				return true;
+			}
+			$acl = $this->shareManager->getAccessList($node, true, true);
+			return array_key_exists($uid, $acl['users']);
+		} catch (NotFoundException $e) {
+			return false;
+		}
+	}
+
+	/**
+	 * @throws NotFoundException
+	 */
+	protected function getNode(): Node {
+		if (!$this->event instanceof GenericEvent && !$this->event instanceof MapperEvent) {
+			throw new NotFoundException();
+		}
+		switch ($this->eventName) {
+			case self::EVENT_NAMESPACE . 'postCreate':
+			case self::EVENT_NAMESPACE . 'postWrite':
+			case self::EVENT_NAMESPACE . 'postDelete':
+			case self::EVENT_NAMESPACE . 'postTouch':
+				return $this->event->getSubject();
+			case self::EVENT_NAMESPACE . 'postRename':
+			case self::EVENT_NAMESPACE . 'postCopy':
+				return $this->event->getSubject()[1];
 			case MapperEvent::EVENT_ASSIGN:
-				if (!$event instanceof MapperEvent || $event->getObjectType() !== 'files') {
-					break;
+				if (!$this->event instanceof MapperEvent || $this->event->getObjectType() !== 'files') {
+					throw new NotFoundException();
 				}
-				$nodes = $this->root->getById((int)$event->getObjectId());
+				$nodes = $this->root->getById((int)$this->event->getObjectId());
 				if (is_array($nodes) && !empty($nodes)) {
-					$node = array_shift($nodes);
-					$ruleMatcher->setEntitySubject($this, $node);
+					return array_shift($nodes);
 				}
 				break;
 		}
+		throw new NotFoundException();
 	}
 }
diff --git a/apps/workflowengine/lib/Manager.php b/apps/workflowengine/lib/Manager.php
index 1c2c76a94c..b84ae57c2c 100644
--- a/apps/workflowengine/lib/Manager.php
+++ b/apps/workflowengine/lib/Manager.php
@@ -152,6 +152,32 @@ class Manager implements IManager {
 		return $operations;
 	}
 
+	public function getAllConfiguredScopesForOperation(string $operationClass): array {
+		static $scopesByOperation = [];
+		if (isset($scopesByOperation[$operationClass])) {
+			return $scopesByOperation[$operationClass];
+		}
+
+		$query = $this->connection->getQueryBuilder();
+
+		$query->selectDistinct('s.type')
+			->addSelect('s.value')
+			->from('flow_operations', 'o')
+			->leftJoin('o', 'flow_operations_scope', 's', $query->expr()->eq('o.id', 's.operation_id'))
+			->where($query->expr()->eq('o.class', $query->createParameter('operationClass')));
+
+		$query->setParameters(['operationClass' => $operationClass]);
+		$result = $query->execute();
+
+		$scopesByOperation[$operationClass] = [];
+		while ($row = $result->fetch()) {
+			$scope = new ScopeContext($row['type'], $row['value']);
+			$scopesByOperation[$operationClass][$scope->getHash()] = $scope;
+		}
+
+		return $scopesByOperation[$operationClass];
+	}
+
 	public function getAllOperations(ScopeContext $scopeContext): array {
 		if(isset($this->operations[$scopeContext->getHash()])) {
 			return $this->operations[$scopeContext->getHash()];
diff --git a/apps/workflowengine/lib/Service/RuleMatcher.php b/apps/workflowengine/lib/Service/RuleMatcher.php
index 95c68b6337..6f670c65c1 100644
--- a/apps/workflowengine/lib/Service/RuleMatcher.php
+++ b/apps/workflowengine/lib/Service/RuleMatcher.php
@@ -36,7 +36,9 @@ use OCP\WorkflowEngine\IEntity;
 use OCP\WorkflowEngine\IEntityCheck;
 use OCP\WorkflowEngine\IFileCheck;
 use OCP\WorkflowEngine\IManager;
+use OCP\WorkflowEngine\IOperation;
 use OCP\WorkflowEngine\IRuleMatcher;
+use RuntimeException;
 
 class RuleMatcher implements IRuleMatcher {
 
@@ -52,8 +54,17 @@ class RuleMatcher implements IRuleMatcher {
 	protected $fileInfo = [];
 	/** @var IL10N */
 	protected $l;
+	/** @var IOperation */
+	protected $operation;
+	/** @var IEntity */
+	protected $entity;
 
-	public function __construct(IUserSession $session, IServerContainer $container, IL10N $l, Manager $manager) {
+	public function __construct(
+		IUserSession $session,
+		IServerContainer $container,
+		IL10N $l,
+		Manager $manager
+	) {
 		$this->session = $session;
 		$this->manager = $manager;
 		$this->container = $container;
@@ -65,11 +76,31 @@ class RuleMatcher implements IRuleMatcher {
 		$this->fileInfo['path'] = $path;
 	}
 
-
 	public function setEntitySubject(IEntity $entity, $subject): void {
 		$this->contexts[get_class($entity)] = [$entity, $subject];
 	}
 
+	public function setOperation(IOperation $operation): void {
+		if($this->operation !== null) {
+			throw new RuntimeException('This method must not be called more than once');
+		}
+		$this->operation = $operation;
+	}
+
+	public function setEntity(IEntity $entity): void {
+		if($this->entity !== null) {
+			throw new RuntimeException('This method must not be called more than once');
+		}
+		$this->entity = $entity;
+	}
+
+	public function getFlows(bool $returnFirstMatchingOperationOnly = true): array {
+		if(!$this->operation) {
+			throw new RuntimeException('Operation is not set');
+		}
+		return $this->getMatchingOperations(get_class($this->operation), $returnFirstMatchingOperationOnly);
+	}
+
 	public function getMatchingOperations(string $class, bool $returnFirstMatchingOperationOnly = true): array {
 		$scopes[] = new ScopeContext(IManager::SCOPE_ADMIN);
 		$user = $this->session->getUser();
@@ -82,6 +113,17 @@ class RuleMatcher implements IRuleMatcher {
 			$operations = array_merge($operations, $this->manager->getOperations($class, $scope));
 		}
 
+		$additionalScopes = $this->manager->getAllConfiguredScopesForOperation($class);
+		foreach ($additionalScopes as $hash => $scopeCandidate) {
+			/** @var ScopeContext $scopeCandidate */
+			if ($scopeCandidate->getScope() !== IManager::SCOPE_USER) {
+				continue;
+			}
+			if ($this->entity->isLegitimatedForUserId($scopeCandidate->getScopeId())) {
+				$operations = array_merge($operations, $this->manager->getOperations($class, $scopeCandidate));
+			}
+		}
+
 		$matches = [];
 		foreach ($operations as $operation) {
 			$checkIds = json_decode($operation['checks'], true);
@@ -117,7 +159,7 @@ class RuleMatcher implements IRuleMatcher {
 
 		if ($checkInstance instanceof IFileCheck) {
 			if (empty($this->fileInfo)) {
-				throw new \RuntimeException('Must set file info before running the check');
+				throw new RuntimeException('Must set file info before running the check');
 			}
 			$checkInstance->setFileInfo($this->fileInfo['storage'], $this->fileInfo['path']);
 		} elseif ($checkInstance instanceof IEntityCheck) {
diff --git a/lib/public/WorkflowEngine/IEntity.php b/lib/public/WorkflowEngine/IEntity.php
index b820560049..47e2f10219 100644
--- a/lib/public/WorkflowEngine/IEntity.php
+++ b/lib/public/WorkflowEngine/IEntity.php
@@ -74,4 +74,12 @@ interface IEntity {
 	 */
 	public function prepareRuleMatcher(IRuleMatcher $ruleMatcher, string $eventName, Event $event): void;
 
+	/**
+	 * returns whether the provided user id is allowed to run a flow against
+	 * the known context
+	 *
+	 * @since 18.0.0
+	 */
+	public function isLegitimatedForUserId(string $userId): bool;
+
 }
diff --git a/lib/public/WorkflowEngine/IRuleMatcher.php b/lib/public/WorkflowEngine/IRuleMatcher.php
index 5569800edb..fa2359edc0 100644
--- a/lib/public/WorkflowEngine/IRuleMatcher.php
+++ b/lib/public/WorkflowEngine/IRuleMatcher.php
@@ -24,6 +24,8 @@ declare(strict_types=1);
 
 namespace OCP\WorkflowEngine;
 
+use RuntimeException;
+
 /**
  * Class IRuleMatcher
  *
@@ -33,7 +35,36 @@ namespace OCP\WorkflowEngine;
  */
 interface IRuleMatcher extends IFileCheck {
 	/**
+	 * This method is left for backwards compatibility and easier porting of
+	 * apps. Please use 'getFlows' instead (and setOperation if you implement
+	 * an IComplexOperation).
+	 *
 	 * @since 18.0.0
+	 * @deprecated 18.0.0
 	 */
 	public function getMatchingOperations(string $class, bool $returnFirstMatchingOperationOnly = true): array;
+
+	/**
+	 * @throws RuntimeException
+	 * @since 18.0.0
+	 */
+	public function getFlows(bool $returnFirstMatchingOperationOnly = true): array;
+
+	/**
+	 * this method can only be called once and is typically called by the
+	 * Flow engine, unless for IComplexOperations.
+	 *
+	 * @throws RuntimeException
+	 * @since 18.0.0
+	 */
+	public function setOperation(IOperation $operation): void;
+
+	/**
+	 * this method can only be called once and is typically called by the
+	 * Flow engine, unless for IComplexOperations.
+	 *
+	 * @throws RuntimeException
+	 * @since 18.0.0
+	 */
+	public function setEntity(IEntity $entity): void;
 }