mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #20505 from nextcloud/fix/noid/system-creds 

do not advertise nulled userId for for systemwide credentials
This commit is contained in:
blizzz 2020-04-16 11:53:24 +02:00 committed by GitHub
parent 8971403ada 5437844b7e
commit d55f4183b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/private/Security/CredentialsManager.php
View File

@ -53,7 +53,7 @@ class CredentialsManager implements ICredentialsManager {
/** /**
* Store a set of credentials * Store a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @param mixed $credentials * @param mixed $credentials
*/ */
@ -61,7 +61,7 @@ class CredentialsManager implements ICredentialsManager {
$value = $this->crypto->encrypt(json_encode($credentials)); $value = $this->crypto->encrypt(json_encode($credentials));
$this->dbConnection->setValues(self::DB_TABLE, [ $this->dbConnection->setValues(self::DB_TABLE, [
'user' => $userId, 'user' => (string)$userId,
'identifier' => $identifier, 'identifier' => $identifier,
], [ ], [
'credentials' => $value, 'credentials' => $value,
@ -71,7 +71,7 @@ class CredentialsManager implements ICredentialsManager {
/** /**
* Retrieve a set of credentials * Retrieve a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @return mixed * @return mixed
*/ */
@ -79,7 +79,7 @@ class CredentialsManager implements ICredentialsManager {
$qb = $this->dbConnection->getQueryBuilder(); $qb = $this->dbConnection->getQueryBuilder();
$qb->select('credentials') $qb->select('credentials')
->from(self::DB_TABLE) ->from(self::DB_TABLE)
->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) ->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
; ;
$result = $qb->execute()->fetch(); $result = $qb->execute()->fetch();
@ -95,14 +95,14 @@ class CredentialsManager implements ICredentialsManager {
/** /**
* Delete a set of credentials * Delete a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @return int rows removed * @return int rows removed
*/ */
public function delete($userId, $identifier) { public function delete($userId, $identifier) {
$qb = $this->dbConnection->getQueryBuilder(); $qb = $this->dbConnection->getQueryBuilder();
$qb->delete(self::DB_TABLE) $qb->delete(self::DB_TABLE)
->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) ->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
; ;
return $qb->execute(); return $qb->execute();

6
lib/public/Security/ICredentialsManager.php
View File

@ -33,7 +33,7 @@ interface ICredentialsManager {
/** /**
* Store a set of credentials * Store a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @param mixed $credentials * @param mixed $credentials
* @since 8.2.0 * @since 8.2.0
@ -43,7 +43,7 @@ interface ICredentialsManager {
/** /**
* Retrieve a set of credentials * Retrieve a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @return mixed * @return mixed
* @since 8.2.0 * @since 8.2.0
@ -53,7 +53,7 @@ interface ICredentialsManager {
/** /**
* Delete a set of credentials * Delete a set of credentials
* *
* @param string|null $userId Null for system-wide credentials * @param string $userId empty string for system-wide credentials
* @param string $identifier * @param string $identifier
* @return int rows removed * @return int rows removed
* @since 8.2.0 * @since 8.2.0

33
tests/lib/Security/CredentialsManagerTest.php
View File

@ -27,6 +27,9 @@ use OCP\IDBConnection;
use OCP\ILogger; use OCP\ILogger;
use OCP\Security\ICrypto; use OCP\Security\ICrypto;
/**
* @group DB
*/
class CredentialsManagerTest extends \Test\TestCase { class CredentialsManagerTest extends \Test\TestCase {
/** @var ICrypto */ /** @var ICrypto */
@ -106,4 +109,34 @@ class CredentialsManagerTest extends \Test\TestCase {
$this->manager->retrieve($userId, $identifier); $this->manager->retrieve($userId, $identifier);
} }
/**
* @dataProvider credentialsProvider
*/
public function testWithDB($userId, $identifier) {
$credentialsManager = \OC::$server->getCredentialsManager();
$secrets = 'Open Sesame';
$credentialsManager->store($userId, $identifier, $secrets);
$received = $credentialsManager->retrieve($userId, $identifier);
$this->assertSame($secrets, $received);
$removedRows = $credentialsManager->delete($userId, $identifier);
$this->assertSame(1, $removedRows);
}
public function credentialsProvider() {
return [
[
'alice',
'privateCredentials'
],
[
'',
'systemCredentials',
],
];
}
} }