From 7210852f075085ab2d678f9554125dedc7e3a310 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 27 Nov 2019 13:59:34 +0100 Subject: [PATCH] allow user flows when the acting user is legitimate, but not its owner for instance, when a sharee changes a file, the owner can act upon Signed-off-by: Arthur Schiwon --- .../lib/AppInfo/Application.php | 3 + apps/workflowengine/lib/Entity/File.php | 96 ++++++++++++++----- apps/workflowengine/lib/Manager.php | 26 +++++ .../lib/Service/RuleMatcher.php | 48 +++++++++- lib/public/WorkflowEngine/IEntity.php | 8 ++ lib/public/WorkflowEngine/IRuleMatcher.php | 31 ++++++ 6 files changed, 183 insertions(+), 29 deletions(-) diff --git a/apps/workflowengine/lib/AppInfo/Application.php b/apps/workflowengine/lib/AppInfo/Application.php index a654c87d2e..933d0cb754 100644 --- a/apps/workflowengine/lib/AppInfo/Application.php +++ b/apps/workflowengine/lib/AppInfo/Application.php @@ -98,6 +98,9 @@ class Application extends \OCP\AppFramework\App { /** @var IOperation $operation */ $operation = $this->getContainer()->query($operationClass); + $ruleMatcher->setEntity($entity); + $ruleMatcher->setOperation($operation); + if ($event instanceof Event) { $entity->prepareRuleMatcher($ruleMatcher, $eventName, $event); $operation->onEvent($eventName, $event, $ruleMatcher); diff --git a/apps/workflowengine/lib/Entity/File.php b/apps/workflowengine/lib/Entity/File.php index a9d71d5f8c..5192100c2c 100644 --- a/apps/workflowengine/lib/Entity/File.php +++ b/apps/workflowengine/lib/Entity/File.php @@ -24,17 +24,19 @@ declare(strict_types=1); namespace OCA\WorkflowEngine\Entity; -use OCA\WorkflowEngine\AppInfo\Application; use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\GenericEvent; use OCP\Files\IRootFolder; +use OCP\Files\Node; +use OCP\Files\NotFoundException; use OCP\IL10N; use OCP\ILogger; use OCP\IURLGenerator; +use OCP\Share\IManager as ShareManager; use OCP\SystemTag\MapperEvent; use OCP\WorkflowEngine\GenericEntityEvent; use OCP\WorkflowEngine\IEntity; use OCP\WorkflowEngine\IRuleMatcher; -use Symfony\Component\EventDispatcher\GenericEvent; class File implements IEntity { @@ -46,12 +48,27 @@ class File implements IEntity { protected $root; /** @var ILogger */ protected $logger; + /** @var string */ + protected $eventName; + /** @var Event */ + protected $event; + /** @var ShareManager */ + private $shareManager; - public function __construct(IL10N $l10n, IURLGenerator $urlGenerator, IRootFolder $root, ILogger $logger) { + private const EVENT_NAMESPACE = '\OCP\Files::'; + + public function __construct( + IL10N $l10n, + IURLGenerator $urlGenerator, + IRootFolder $root, + ILogger $logger, + ShareManager $shareManager + ) { $this->l10n = $l10n; $this->urlGenerator = $urlGenerator; $this->root = $root; $this->logger = $logger; + $this->shareManager = $shareManager; } public function getName(): string { @@ -63,14 +80,13 @@ class File implements IEntity { } public function getEvents(): array { - $namespace = '\OCP\Files::'; return [ - new GenericEntityEvent($this->l10n->t('File created'), $namespace . 'postCreate'), - new GenericEntityEvent($this->l10n->t('File updated'), $namespace . 'postWrite'), - new GenericEntityEvent($this->l10n->t('File renamed'), $namespace . 'postRename'), - new GenericEntityEvent($this->l10n->t('File deleted'), $namespace . 'postDelete'), - new GenericEntityEvent($this->l10n->t('File accessed'), $namespace . 'postTouch'), - new GenericEntityEvent($this->l10n->t('File copied'), $namespace . 'postCopy'), + new GenericEntityEvent($this->l10n->t('File created'), self::EVENT_NAMESPACE . 'postCreate'), + new GenericEntityEvent($this->l10n->t('File updated'), self::EVENT_NAMESPACE . 'postWrite'), + new GenericEntityEvent($this->l10n->t('File renamed'), self::EVENT_NAMESPACE . 'postRename'), + new GenericEntityEvent($this->l10n->t('File deleted'), self::EVENT_NAMESPACE . 'postDelete'), + new GenericEntityEvent($this->l10n->t('File accessed'), self::EVENT_NAMESPACE . 'postTouch'), + new GenericEntityEvent($this->l10n->t('File copied'), self::EVENT_NAMESPACE . 'postCopy'), new GenericEntityEvent($this->l10n->t('Tag assigned'), MapperEvent::EVENT_ASSIGN), ]; } @@ -79,27 +95,55 @@ class File implements IEntity { if (!$event instanceof GenericEvent && !$event instanceof MapperEvent) { return; } - switch ($eventName) { - case 'postCreate': - case 'postWrite': - case 'postDelete': - case 'postTouch': - $ruleMatcher->setEntitySubject($this, $event->getSubject()); - break; - case 'postRename': - case 'postCopy': - $ruleMatcher->setEntitySubject($this, $event->getSubject()[1]); - break; + $this->eventName = $eventName; + $this->event = $event; + try { + $node = $this->getNode(); + $ruleMatcher->setEntitySubject($this, $node); + } catch (NotFoundException $e) { + // pass + } + } + + public function isLegitimatedForUserId(string $uid): bool { + try { + $node = $this->getNode(); + if($node->getOwner()->getUID() === $uid) { + return true; + } + $acl = $this->shareManager->getAccessList($node, true, true); + return array_key_exists($uid, $acl['users']); + } catch (NotFoundException $e) { + return false; + } + } + + /** + * @throws NotFoundException + */ + protected function getNode(): Node { + if (!$this->event instanceof GenericEvent && !$this->event instanceof MapperEvent) { + throw new NotFoundException(); + } + switch ($this->eventName) { + case self::EVENT_NAMESPACE . 'postCreate': + case self::EVENT_NAMESPACE . 'postWrite': + case self::EVENT_NAMESPACE . 'postDelete': + case self::EVENT_NAMESPACE . 'postTouch': + return $this->event->getSubject(); + case self::EVENT_NAMESPACE . 'postRename': + case self::EVENT_NAMESPACE . 'postCopy': + return $this->event->getSubject()[1]; case MapperEvent::EVENT_ASSIGN: - if (!$event instanceof MapperEvent || $event->getObjectType() !== 'files') { - break; + if (!$this->event instanceof MapperEvent || $this->event->getObjectType() !== 'files') { + throw new NotFoundException(); } - $nodes = $this->root->getById((int)$event->getObjectId()); + $nodes = $this->root->getById((int)$this->event->getObjectId()); if (is_array($nodes) && !empty($nodes)) { - $node = array_shift($nodes); - $ruleMatcher->setEntitySubject($this, $node); + return array_shift($nodes); } break; } + throw new NotFoundException(); } } diff --git a/apps/workflowengine/lib/Manager.php b/apps/workflowengine/lib/Manager.php index 1c2c76a94c..b84ae57c2c 100644 --- a/apps/workflowengine/lib/Manager.php +++ b/apps/workflowengine/lib/Manager.php @@ -152,6 +152,32 @@ class Manager implements IManager { return $operations; } + public function getAllConfiguredScopesForOperation(string $operationClass): array { + static $scopesByOperation = []; + if (isset($scopesByOperation[$operationClass])) { + return $scopesByOperation[$operationClass]; + } + + $query = $this->connection->getQueryBuilder(); + + $query->selectDistinct('s.type') + ->addSelect('s.value') + ->from('flow_operations', 'o') + ->leftJoin('o', 'flow_operations_scope', 's', $query->expr()->eq('o.id', 's.operation_id')) + ->where($query->expr()->eq('o.class', $query->createParameter('operationClass'))); + + $query->setParameters(['operationClass' => $operationClass]); + $result = $query->execute(); + + $scopesByOperation[$operationClass] = []; + while ($row = $result->fetch()) { + $scope = new ScopeContext($row['type'], $row['value']); + $scopesByOperation[$operationClass][$scope->getHash()] = $scope; + } + + return $scopesByOperation[$operationClass]; + } + public function getAllOperations(ScopeContext $scopeContext): array { if(isset($this->operations[$scopeContext->getHash()])) { return $this->operations[$scopeContext->getHash()]; diff --git a/apps/workflowengine/lib/Service/RuleMatcher.php b/apps/workflowengine/lib/Service/RuleMatcher.php index 95c68b6337..6f670c65c1 100644 --- a/apps/workflowengine/lib/Service/RuleMatcher.php +++ b/apps/workflowengine/lib/Service/RuleMatcher.php @@ -36,7 +36,9 @@ use OCP\WorkflowEngine\IEntity; use OCP\WorkflowEngine\IEntityCheck; use OCP\WorkflowEngine\IFileCheck; use OCP\WorkflowEngine\IManager; +use OCP\WorkflowEngine\IOperation; use OCP\WorkflowEngine\IRuleMatcher; +use RuntimeException; class RuleMatcher implements IRuleMatcher { @@ -52,8 +54,17 @@ class RuleMatcher implements IRuleMatcher { protected $fileInfo = []; /** @var IL10N */ protected $l; + /** @var IOperation */ + protected $operation; + /** @var IEntity */ + protected $entity; - public function __construct(IUserSession $session, IServerContainer $container, IL10N $l, Manager $manager) { + public function __construct( + IUserSession $session, + IServerContainer $container, + IL10N $l, + Manager $manager + ) { $this->session = $session; $this->manager = $manager; $this->container = $container; @@ -65,11 +76,31 @@ class RuleMatcher implements IRuleMatcher { $this->fileInfo['path'] = $path; } - public function setEntitySubject(IEntity $entity, $subject): void { $this->contexts[get_class($entity)] = [$entity, $subject]; } + public function setOperation(IOperation $operation): void { + if($this->operation !== null) { + throw new RuntimeException('This method must not be called more than once'); + } + $this->operation = $operation; + } + + public function setEntity(IEntity $entity): void { + if($this->entity !== null) { + throw new RuntimeException('This method must not be called more than once'); + } + $this->entity = $entity; + } + + public function getFlows(bool $returnFirstMatchingOperationOnly = true): array { + if(!$this->operation) { + throw new RuntimeException('Operation is not set'); + } + return $this->getMatchingOperations(get_class($this->operation), $returnFirstMatchingOperationOnly); + } + public function getMatchingOperations(string $class, bool $returnFirstMatchingOperationOnly = true): array { $scopes[] = new ScopeContext(IManager::SCOPE_ADMIN); $user = $this->session->getUser(); @@ -82,6 +113,17 @@ class RuleMatcher implements IRuleMatcher { $operations = array_merge($operations, $this->manager->getOperations($class, $scope)); } + $additionalScopes = $this->manager->getAllConfiguredScopesForOperation($class); + foreach ($additionalScopes as $hash => $scopeCandidate) { + /** @var ScopeContext $scopeCandidate */ + if ($scopeCandidate->getScope() !== IManager::SCOPE_USER) { + continue; + } + if ($this->entity->isLegitimatedForUserId($scopeCandidate->getScopeId())) { + $operations = array_merge($operations, $this->manager->getOperations($class, $scopeCandidate)); + } + } + $matches = []; foreach ($operations as $operation) { $checkIds = json_decode($operation['checks'], true); @@ -117,7 +159,7 @@ class RuleMatcher implements IRuleMatcher { if ($checkInstance instanceof IFileCheck) { if (empty($this->fileInfo)) { - throw new \RuntimeException('Must set file info before running the check'); + throw new RuntimeException('Must set file info before running the check'); } $checkInstance->setFileInfo($this->fileInfo['storage'], $this->fileInfo['path']); } elseif ($checkInstance instanceof IEntityCheck) { diff --git a/lib/public/WorkflowEngine/IEntity.php b/lib/public/WorkflowEngine/IEntity.php index b820560049..47e2f10219 100644 --- a/lib/public/WorkflowEngine/IEntity.php +++ b/lib/public/WorkflowEngine/IEntity.php @@ -74,4 +74,12 @@ interface IEntity { */ public function prepareRuleMatcher(IRuleMatcher $ruleMatcher, string $eventName, Event $event): void; + /** + * returns whether the provided user id is allowed to run a flow against + * the known context + * + * @since 18.0.0 + */ + public function isLegitimatedForUserId(string $userId): bool; + } diff --git a/lib/public/WorkflowEngine/IRuleMatcher.php b/lib/public/WorkflowEngine/IRuleMatcher.php index 5569800edb..fa2359edc0 100644 --- a/lib/public/WorkflowEngine/IRuleMatcher.php +++ b/lib/public/WorkflowEngine/IRuleMatcher.php @@ -24,6 +24,8 @@ declare(strict_types=1); namespace OCP\WorkflowEngine; +use RuntimeException; + /** * Class IRuleMatcher * @@ -33,7 +35,36 @@ namespace OCP\WorkflowEngine; */ interface IRuleMatcher extends IFileCheck { /** + * This method is left for backwards compatibility and easier porting of + * apps. Please use 'getFlows' instead (and setOperation if you implement + * an IComplexOperation). + * * @since 18.0.0 + * @deprecated 18.0.0 */ public function getMatchingOperations(string $class, bool $returnFirstMatchingOperationOnly = true): array; + + /** + * @throws RuntimeException + * @since 18.0.0 + */ + public function getFlows(bool $returnFirstMatchingOperationOnly = true): array; + + /** + * this method can only be called once and is typically called by the + * Flow engine, unless for IComplexOperations. + * + * @throws RuntimeException + * @since 18.0.0 + */ + public function setOperation(IOperation $operation): void; + + /** + * this method can only be called once and is typically called by the + * Flow engine, unless for IComplexOperations. + * + * @throws RuntimeException + * @since 18.0.0 + */ + public function setEntity(IEntity $entity): void; }