Merge pull request #20505 from nextcloud/fix/noid/system-creds

do not advertise nulled userId for for systemwide credentials
This commit is contained in:
blizzz 2020-04-16 11:53:24 +02:00 committed by GitHub
commit d55f4183b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 9 deletions

View File

@ -53,7 +53,7 @@ class CredentialsManager implements ICredentialsManager {
/**
* Store a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @param mixed $credentials
*/
@ -61,7 +61,7 @@ class CredentialsManager implements ICredentialsManager {
$value = $this->crypto->encrypt(json_encode($credentials));
$this->dbConnection->setValues(self::DB_TABLE, [
'user' => $userId,
'user' => (string)$userId,
'identifier' => $identifier,
], [
'credentials' => $value,
@ -71,7 +71,7 @@ class CredentialsManager implements ICredentialsManager {
/**
* Retrieve a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @return mixed
*/
@ -79,7 +79,7 @@ class CredentialsManager implements ICredentialsManager {
$qb = $this->dbConnection->getQueryBuilder();
$qb->select('credentials')
->from(self::DB_TABLE)
->where($qb->expr()->eq('user', $qb->createNamedParameter($userId)))
->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
;
$result = $qb->execute()->fetch();
@ -95,14 +95,14 @@ class CredentialsManager implements ICredentialsManager {
/**
* Delete a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @return int rows removed
*/
public function delete($userId, $identifier) {
$qb = $this->dbConnection->getQueryBuilder();
$qb->delete(self::DB_TABLE)
->where($qb->expr()->eq('user', $qb->createNamedParameter($userId)))
->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
;
return $qb->execute();

View File

@ -33,7 +33,7 @@ interface ICredentialsManager {
/**
* Store a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @param mixed $credentials
* @since 8.2.0
@ -43,7 +43,7 @@ interface ICredentialsManager {
/**
* Retrieve a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @return mixed
* @since 8.2.0
@ -53,7 +53,7 @@ interface ICredentialsManager {
/**
* Delete a set of credentials
*
* @param string|null $userId Null for system-wide credentials
* @param string $userId empty string for system-wide credentials
* @param string $identifier
* @return int rows removed
* @since 8.2.0

View File

@ -27,6 +27,9 @@ use OCP\IDBConnection;
use OCP\ILogger;
use OCP\Security\ICrypto;
/**
* @group DB
*/
class CredentialsManagerTest extends \Test\TestCase {
/** @var ICrypto */
@ -106,4 +109,34 @@ class CredentialsManagerTest extends \Test\TestCase {
$this->manager->retrieve($userId, $identifier);
}
/**
* @dataProvider credentialsProvider
*/
public function testWithDB($userId, $identifier) {
$credentialsManager = \OC::$server->getCredentialsManager();
$secrets = 'Open Sesame';
$credentialsManager->store($userId, $identifier, $secrets);
$received = $credentialsManager->retrieve($userId, $identifier);
$this->assertSame($secrets, $received);
$removedRows = $credentialsManager->delete($userId, $identifier);
$this->assertSame(1, $removedRows);
}
public function credentialsProvider() {
return [
[
'alice',
'privateCredentials'
],
[
'',
'systemCredentials',
],
];
}
}