mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[Share 2.0] Make the share manager ready for share creation

This commit is contained in:
Roeland Jago Douma 2015-12-15 09:54:12 +01:00
parent a08c497808
commit b15be8f96f
2 changed files with 1676 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

520
lib/private/share20/manager.php
View File

@ -21,8 +21,12 @@
namespace OC\Share20;
use OCP\IAppConfig;
use OCP\IConfig;
use OCP\ILogger;
use OCP\Security\ISecureRandom;
use OCP\Security\IHasher;
use OCP\Files\Mount\IMountManager;
use OCP\IGroupManager;
use OC\Share20\Exception\ShareNotFound;
@ -39,35 +43,422 @@ class Manager {
/** @var ILogger */
private $logger;
/** @var IAppConfig */
private $appConfig;
/** @var IConfig */
private $config;
/** @var ISecureRandom */
private $secureRandom;
/** @var IHasher */
private $hasher;
/** @var IMountManager */
private $mountManager;
/** @var IGroupManager */
private $groupManager;
/**
* Manager constructor.
*
* @param ILogger $logger
* @param IAppConfig $appConfig
* @param IConfig $config
* @param IShareProvider $defaultProvider
* @param ISecureRandom $secureRandom
* @param IHasher $hasher
* @param IMountManager $mountManager
* @param IGroupManager $groupManager
*/
public function __construct(
ILogger $logger,
IAppConfig $appConfig,
IShareProvider $defaultProvider
IConfig $config,
IShareProvider $defaultProvider,
ISecureRandom $secureRandom,
IHasher $hasher,
IMountManager $mountManager,
IGroupManager $groupManager
) {
$this->logger = $logger;
$this->appConfig = $appConfig;
$this->config = $config;
$this->secureRandom = $secureRandom;
$this->hasher = $hasher;
$this->mountManager = $mountManager;
$this->groupManager = $groupManager;
// TEMP SOLUTION JUST TO GET STARTED
$this->defaultProvider = $defaultProvider;
}
/**
* Verify if a password meets all requirements
*
* @param string $password
* @throws \Exception
*/
protected function verifyPassword($password) {
if ($password === null) {
// No password is set, check if this is allowed.
if ($this->shareApiLinkEnforcePassword()) {
throw new \InvalidArgumentException('Passwords are enforced for link shares');
}
return;
}
// Let others verify the password
$accepted = true;
$message = '';
\OCP\Util::emitHook('\OC\Share', 'verifyPassword', [
'password' => $password,
'accepted' => &$accepted,
'message' => &$message
]);
if (!$accepted) {
throw new \Exception($message);
}
}
/**
* Check for generic requirements before creating a share
*
* @param IShare $share
* @throws \Exception
*/
protected function generalCreateChecks(IShare $share) {
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) {
// We expect a valid user as sharedWith for user shares
if (!($share->getSharedWith() instanceof \OCP\IUser)) {
throw new \InvalidArgumentException('SharedWith should be an IUser');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
// We expect a valid group as sharedWith for group shares
if (!($share->getSharedWith() instanceof \OCP\IGroup)) {
throw new \InvalidArgumentException('SharedWith should be an IGroup');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
if ($share->getSharedWith() !== null) {
throw new \InvalidArgumentException('SharedWith should be empty');
}
} else {
// We can't handle other types yet
throw new \InvalidArgumentException('unkown share type');
}
// Verify the initiator of the share is et
if ($share->getSharedBy() === null) {
throw new \InvalidArgumentException('SharedBy should be set');
}
// Cannot share with yourself
if ($share->getSharedWith() === $share->getSharedBy()) {
throw new \InvalidArgumentException('Can\'t share with yourself');
}
// The path should be set
if ($share->getPath() === null) {
throw new \InvalidArgumentException('Path should be set');
}
// And it should be a file or a folder
if (!($share->getPath() instanceof \OCP\Files\File) &&
!($share->getPath() instanceof \OCP\Files\Folder)) {
throw new \InvalidArgumentException('Path should be either a file or a folder');
}
// Check if we actually have share permissions
if (!$share->getPath()->isShareable()) {
throw new \InvalidArgumentException('Path is not shareable');
}
// Permissions should be set
if ($share->getPermissions() === null) {
throw new \InvalidArgumentException('A share requires permissions');
}
// Check that we do not share with more permissions than we have
if ($share->getPermissions() & ~$share->getPath()->getPermissions()) {
throw new \InvalidArgumentException('Cannot increase permissions');
}
// Check that read permissions are always set
if (($share->getPermissions() & \OCP\Constants::PERMISSION_READ) === 0) {
throw new \InvalidArgumentException('Shares need at least read permissions');
}
}
/**
* Validate if the expiration date fits the system settings
*
* @param \DateTime $expireDate The current expiration date (can be null)
* @return \DateTime|null The expiration date or null if $expireDate was null and it is not required
*/
protected function validateExpiredate($expireDate) {
if ($expireDate !== null) {
//Make sure the expiration date is a date
$expireDate->setTime(0, 0, 0);
$date = new \DateTime();
$date->setTime(0, 0, 0);
if ($date >= $expireDate) {
throw new \InvalidArgumentException('Expiration date is in the past');
}
}
// If we enforce the expiration date check that is does not exceed
if ($this->shareApiLinkDefaultExpireDateEnforced()) {
if ($expireDate === null) {
throw new \InvalidArgumentException('Expiration date is enforced');
}
$date = new \DateTime();
$date->setTime(0, 0, 0);
$date->add(new \DateInterval('P' . $this->shareApiLinkDefaultExpireDays() . 'D'));
if ($date < $expireDate) {
throw new \InvalidArgumentException('Cannot set expiration date more than ' . $this->shareApiLinkDefaultExpireDays() . ' in the future');
}
return $expireDate;
}
// If expiredate is empty set a default one if there is a default
if ($expireDate === null && $this->shareApiLinkDefaultExpireDate()) {
$date = new \DateTime();
$date->setTime(0,0,0);
$date->add(new \DateInterval('P'.$this->shareApiLinkDefaultExpireDays().'D'));
return $date;
}
return $expireDate;
}
/**
* Check for pre share requirements for use shares
*
* @param IShare $share
* @throws \Exception
*/
protected function userCreateChecks(IShare $share) {
// Check if we can share with group members only
if ($this->shareWithGroupMembersOnly()) {
// Verify we can share with this user
$groups = array_intersect(
$this->groupManager->getUserGroupIds($share->getSharedBy()),
$this->groupManager->getUserGroupIds($share->getSharedWith())
);
if (empty($groups)) {
throw new \Exception('Only sharing with group members is allowed');
}
}
/*
* TODO: Could be costly, fix
*
* Also this is not what we want in the future.. then we want to squash identical shares.
*/
$existingShares = $this->defaultProvider->getSharesByPath($share->getPath());
foreach($existingShares as $existingShare) {
// Identical share already existst
if ($existingShare->getSharedWith() === $share->getSharedWith()) {
throw new \Exception('Path already shared with this user');
}
// The share is already shared with this user via a group share
if ($existingShare->getShareType() === \OCP\Share::SHARE_TYPE_GROUP &&
$existingShare->getSharedWith()->inGroup($share->getSharedWith()) &&
$existingShare->getShareOwner() !== $share->getShareOwner()) {
throw new \Exception('Path already shared with this user');
}
}
}
/**
* Check for pre share requirements for group shares
*
* @param IShare $share
* @throws \Exception
*/
protected function groupCreateChecks(IShare $share) {
// Verify if the user can share with this group
if ($this->shareWithGroupMembersOnly()) {
if (!$share->getSharedWith()->inGroup($share->getSharedBy())) {
throw new \Exception('Only sharing within your own groups is allowed');
}
}
/*
* TODO: Could be costly, fix
*
* Also this is not what we want in the future.. then we want to squash identical shares.
*/
$existingShares = $this->defaultProvider->getSharesByPath($share->getPath());
foreach($existingShares as $existingShare) {
if ($existingShare->getSharedWith() === $share->getSharedWith()) {
throw new \Exception('Path already shared with this group');
}
}
}
/**
* Check for pre share requirements for link shares
*
* @param IShare $share
* @throws \Exception
*/
protected function linkCreateChecks(IShare $share) {
// Are link shares allowed?
if (!$this->shareApiAllowLinks()) {
throw new \Exception('Link sharing not allowed');
}
// Link shares by definition can't have share permissions
if ($share->getPermissions() & \OCP\Constants::PERMISSION_SHARE) {
throw new \InvalidArgumentException('Link shares can\'t have reshare permissions');
}
// We don't allow deletion on link shares
if ($share->getPermissions() & \OCP\Constants::PERMISSION_DELETE) {
throw new \InvalidArgumentException('Link shares can\'t have delete permissions');
}
// Check if public upload is allowed
if (!$this->shareApiLinkAllowPublicUpload() &&
($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE))) {
throw new \InvalidArgumentException('Public upload not allowed');
}
}
/**
* @param File|Folder $path
*/
protected function pathCreateChecks($path) {
// Make sure that we do not share a path that contains a shared mountpoint
if ($path instanceof \OCP\Files\Folder) {
$mounts = $this->mountManager->findIn($path->getPath());
foreach($mounts as $mount) {
if ($mount->getStorage()->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) {
throw new \InvalidArgumentException('Path contains files shared with you');
}
}
}
}
/**
* Check if the user that is sharing can actually share
*
* @param IShare $share
* @return bool
*/
protected function canShare(IShare $share) {
if (!$this->shareApiEnabled()) {
return false;
}
if ($this->isSharingDisabledForUser($share->getSharedBy())) {
return false;
}
return true;
}
/**
* Share a path
*
* @param Share $share
* @param IShare $share
* @return Share The share object
* @throws \Exception
*
* TODO: handle link share permissions or check them
*/
public function createShare(Share $share) {
public function createShare(IShare $share) {
if (!$this->canShare($share)) {
throw new \Exception('The Share API is disabled');
}
$this->generalCreateChecks($share);
//Verify share type
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) {
$this->userCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$this->groupCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
$this->linkCreateChecks($share);
/*
* For now ignore a set token.
*/
$share->setToken(
$this->secureRandom->getMediumStrengthGenerator()->generate(
\OC\Share\Constants::TOKEN_LENGTH,
\OCP\Security\ISecureRandom::CHAR_LOWER.
\OCP\Security\ISecureRandom::CHAR_UPPER.
\OCP\Security\ISecureRandom::CHAR_DIGITS
)
);
//Verify the expiration date
$share->setExpirationDate($this->validateExpiredate($share->getExpirationDate()));
//Verify the password
$this->verifyPassword($share->getPassword());
// If a password is set. Hash it!
if ($share->getPassword() !== null) {
$share->setPassword($this->hasher->hash($share->getPassword()));
}
}
// Verify if there are any issues with the path
$this->pathCreateChecks($share->getPath());
// On creation of a share the owner is always the owner of the path
$share->setShareOwner($share->getPath()->getOwner());
// Generate the target
$target = $this->config->getSystemValue('share_folder', '/') .'/'. $share->getPath()->getName();
$target = \OC\Files\Filesystem::normalizePath($target);
$share->setTarget($target);
// Pre share hook
$run = true;
$error = '';
$preHookData = [
'itemType' => $share->getPath() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getPath()->getId(),
'shareType' => $share->getShareType(),
'uidOwner' => $share->getSharedBy()->getUID(),
'permissions' => $share->getPermissions(),
'fileSource' => $share->getPath()->getId(),
'expiration' => $share->getExpirationDate(),
'token' => $share->getToken(),
'run' => &$run,
'error' => &$error
];
\OC_Hook::emit('OCP\Share', 'pre_shared', $preHookData);
if ($run === false) {
throw new \Exception($error);
}
$share = $this->defaultProvider->create($share);
// Post share hook
$postHookData = [
'itemType' => $share->getPath() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getPath()->getId(),
'shareType' => $share->getShareType(),
'uidOwner' => $share->getSharedBy()->getUID(),
'permissions' => $share->getPermissions(),
'fileSource' => $share->getPath()->getId(),
'expiration' => $share->getExpirationDate(),
'token' => $share->getToken(),
'id' => $share->getId(),
];
\OC_Hook::emit('OCP\Share', 'post_shared', $postHookData);
return $share;
}
/**
@ -251,4 +642,115 @@ class Manager {
*/
public function getAccessList(\OCP\Files\Node $path) {
}
/**
* Create a new share
* @return IShare;
*/
public function newShare() {
return new \OC\Share20\Share();
}
/**
* Is the share API enabled
*
* @return bool
*/
public function shareApiEnabled() {
return $this->config->getAppValue('core', 'shareapi_enabled', 'yes') === 'yes';
}
/**
* Is public link sharing enabled
*
* @return bool
*/
public function shareApiAllowLinks() {
return $this->config->getAppValue('core', 'shareapi_allow_links', 'yes') === 'yes';
}
/**
* Is password on public link requires
*
* @return bool
*/
public function shareApiLinkEnforcePassword() {
return $this->config->getAppValue('core', 'shareapi_enforce_links_password', 'no') === 'yes';
}
/**
* Is default expire date enabled
*
* @return bool
*/
public function shareApiLinkDefaultExpireDate() {
return $this->config->getAppValue('core', 'shareapi_default_expire_date', 'no') === 'yes';
}
/**
* Is default expire date enforced
*`
* @return bool
*/
public function shareApiLinkDefaultExpireDateEnforced() {
return $this->config->getAppValue('core', 'shareapi_enforce_expire_date', 'no') === 'yes';
}
/**
* Number of default expire days
*shareApiLinkAllowPublicUpload
* @return int
*/
public function shareApiLinkDefaultExpireDays() {
return (int)$this->config->getAppValue('core', 'shareapi_expire_after_n_days', '7');
}
/**
* Allow public upload on link shares
*
* @return bool
*/
public function shareApiLinkAllowPublicUpload() {
return $this->config->getAppValue('core', 'shareapi_allow_public_upload', 'yes') === 'yes';
}
/**
* check if user can only share with group members
* @return bool
*/
public function shareWithGroupMembersOnly() {
return $this->config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';
}
/**
* Copied from \OC_Util::isSharingDisabledForUser
*
* TODO: Deprecate fuction from OC_Util
*
* @param IUser $user
* @return bool
*/
public function isSharingDisabledForUser($user) {
if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {
$groupsList = $this->config->getAppValue('core', 'shareapi_exclude_groups_list', '');
$excludedGroups = json_decode($groupsList);
if (is_null($excludedGroups)) {
$excludedGroups = explode(',', $groupsList);
$newValue = json_encode($excludedGroups);
$this->config->setAppValue('core', 'shareapi_exclude_groups_list', $newValue);
}
$usersGroups = $this->groupManager->getUserGroupIds($user);
if (!empty($usersGroups)) {
$remainingGroups = array_diff($usersGroups, $excludedGroups);
// if the user is only in groups which are disabled for sharing then
// sharing is also disabled for the user
if (empty($remainingGroups)) {
return true;
}
}
}
return false;
}
}

1177
tests/lib/share20/managertest.php
View File

File diff suppressed because it is too large Load Diff