refactor(Token): introduce scope constants

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
author: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-15 12:51:31 +0100
committer: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-06-05 19:01:14 +0200
commit: f6d6efef3a26fc5524988cdfba780dce035cd61b (patch)
tree: ea3caeb6b4a9e10b013eb1562135eb6a1973f607
parent: 340939e688fab5c52061bc9e358587fbd8ec9fc8 (diff)
download: nextcloud-server-f6d6efef3a26fc5524988cdfba780dce035cd61b.tar.gz
nextcloud-server-f6d6efef3a26fc5524988cdfba780dce035cd61b.zip
13 files changed, 44 insertions, 27 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 8a01c7c2468..8f8ceb7d9ca 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -241,8 +241,8 @@ class AuthSettingsController extends Controller {
 		$currentName = $token->getName();
 
 		if ($scope !== $token->getScopeAsArray()) {
-			$token->setScope(['filesystem' => $scope['filesystem']]);
-			$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
+			$token->setScope([IToken::SCOPE_FILESYSTEM => $scope[IToken::SCOPE_FILESYSTEM]]);
+			$this->publishActivity($scope[IToken::SCOPE_FILESYSTEM] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
 		}
 
 		if (mb_strlen($name) > 128) {
diff --git a/apps/settings/tests/Controller/AuthSettingsControllerTest.php b/apps/settings/tests/Controller/AuthSettingsControllerTest.php
index b744b942e09..747515898ea 100644
--- a/apps/settings/tests/Controller/AuthSettingsControllerTest.php
+++ b/apps/settings/tests/Controller/AuthSettingsControllerTest.php
@@ -267,7 +267,7 @@ class AuthSettingsControllerTest extends TestCase {
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => true]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => true]);
 
 		$token->expects($this->once())
 			->method('setName')
@@ -277,7 +277,7 @@ class AuthSettingsControllerTest extends TestCase {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], $newName));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], $newName));
 	}
 
 	public function dataUpdateFilesystemScope(): array {
@@ -310,17 +310,17 @@ class AuthSettingsControllerTest extends TestCase {
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => $filesystem]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => $filesystem]);
 
 		$token->expects($this->once())
 			->method('setScope')
-			->with($this->equalTo(['filesystem' => $newFilesystem]));
+			->with($this->equalTo([IToken::SCOPE_FILESYSTEM => $newFilesystem]));
 
 		$this->tokenProvider->expects($this->once())
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => $newFilesystem], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => $newFilesystem], 'App password'));
 	}
 
 	public function testUpdateNoChange(): void {
@@ -339,7 +339,7 @@ class AuthSettingsControllerTest extends TestCase {
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => true]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => true]);
 
 		$token->expects($this->never())
 			->method('setName');
@@ -351,7 +351,7 @@ class AuthSettingsControllerTest extends TestCase {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password'));
 	}
 
 	public function testUpdateExpired() {
@@ -371,7 +371,7 @@ class AuthSettingsControllerTest extends TestCase {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password'));
 	}
 
 	public function testUpdateTokenWrongUser() {
@@ -389,7 +389,7 @@ class AuthSettingsControllerTest extends TestCase {
 		$this->tokenProvider->expects($this->never())
 			->method('updateToken');
 
-		$response = $this->controller->update($tokenId, ['filesystem' => true], 'App password');
+		$response = $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password');
 		$this->assertSame([], $response->getData());
 		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
 	}
@@ -403,7 +403,7 @@ class AuthSettingsControllerTest extends TestCase {
 		$this->tokenProvider->expects($this->never())
 			->method('updateToken');
 
-		$response = $this->controller->update(42, ['filesystem' => true], 'App password');
+		$response = $this->controller->update(42, [IToken::SCOPE_FILESYSTEM => true], 'App password');
 		$this->assertSame([], $response->getData());
 		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
 	}
diff --git a/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php b/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php
index 5ccec936555..13d720c201e 100644
--- a/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php
+++ b/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php
@@ -30,6 +30,7 @@ use OC\Authentication\Token\PublicKeyToken;
 use OCA\Settings\Settings\Personal\Security\Authtokens;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\IUserSession;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -108,7 +109,7 @@ class AuthtokensTest extends TestCase {
 							'type' => 0,
 							'canDelete' => false,
 							'current' => true,
-							'scope' => ['filesystem' => true],
+							'scope' => [IToken::SCOPE_FILESYSTEM => true],
 							'canRename' => false,
 						],
 						[
@@ -117,7 +118,7 @@ class AuthtokensTest extends TestCase {
 							'lastActivity' => 0,
 							'type' => 0,
 							'canDelete' => true,
-							'scope' => ['filesystem' => true],
+							'scope' => [IToken::SCOPE_FILESYSTEM => true],
 							'canRename' => true,
 						],
 					]
diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
index 9fa4aedd401..5ff9d7386da 100644
--- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -15,6 +15,7 @@ use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Session\Exceptions\SessionNotAvailableException;
@@ -85,7 +86,7 @@ class PasswordConfirmationMiddleware extends Middleware {
 				return;
 			}
 			$scope = $token->getScopeAsArray();
-			if (isset($scope['sso-based-login']) && $scope['sso-based-login'] === true) {
+			if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
 				// Users logging in from SSO backends cannot confirm their password by design
 				return;
 			}
diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php
index 0b7a2589f3e..961b7191d84 100644
--- a/lib/private/Authentication/Token/PublicKeyToken.php
+++ b/lib/private/Authentication/Token/PublicKeyToken.php
@@ -9,6 +9,7 @@ declare(strict_types=1);
 namespace OC\Authentication\Token;
 
 use OCP\AppFramework\Db\Entity;
+use OCP\Authentication\Token\IToken;
 
 /**
  * @method void setId(int $id)
@@ -162,7 +163,7 @@ class PublicKeyToken extends Entity implements INamedToken, IWipeableToken {
 		$scope = json_decode($this->getScope(), true);
 		if (!$scope) {
 			return [
-				'filesystem' => true
+				IToken::SCOPE_FILESYSTEM => true
 			];
 		}
 		return $scope;
diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php
index 779b1ea2650..3b45709d5c9 100644
--- a/lib/private/Lockdown/LockdownManager.php
+++ b/lib/private/Lockdown/LockdownManager.php
@@ -5,7 +5,7 @@
  */
 namespace OC\Lockdown;
 
-use OC\Authentication\Token\IToken;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\Lockdown\ILockdownManager;
 
@@ -60,6 +60,6 @@ class LockdownManager implements ILockdownManager {
 
 	public function canAccessFilesystem() {
 		$scope = $this->getScopeAsArray();
-		return !$scope || $scope['filesystem'];
+		return !$scope || $scope[IToken::SCOPE_FILESYSTEM];
 	}
 }
diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php
index 5c38ae4cc72..a41e99ae8c4 100644
--- a/lib/private/Template/JSConfigHelper.php
+++ b/lib/private/Template/JSConfigHelper.php
@@ -16,6 +16,7 @@ use OCP\App\IAppManager;
 use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\Constants;
 use OCP\Defaults;
 use OCP\Files\FileInfo;
@@ -286,6 +287,6 @@ class JSConfigHelper {
 			return true;
 		}
 		$scope = $token->getScopeAsArray();
-		return !isset($scope['sso-based-login']) || $scope['sso-based-login'] === false;
+		return !isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) || $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === false;
 	}
 }
diff --git a/lib/private/legacy/OC_User.php b/lib/private/legacy/OC_User.php
index 66d28771ae1..f9f751f7b14 100644
--- a/lib/private/legacy/OC_User.php
+++ b/lib/private/legacy/OC_User.php
@@ -7,6 +7,7 @@
  */
 use OC\Authentication\Token\IProvider;
 use OC\User\LoginException;
+use OCP\Authentication\Token\IToken;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IGroupManager;
 use OCP\ISession;
@@ -171,7 +172,7 @@ class OC_User {
 				if (empty($password)) {
 					$tokenProvider = \OC::$server->get(IProvider::class);
 					$token = $tokenProvider->getToken($userSession->getSession()->getId());
-					$token->setScope(['sso-based-login' => true]);
+					$token->setScope([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]);
 					$tokenProvider->updateToken($token);
 				}
 
diff --git a/lib/public/Authentication/Token/IToken.php b/lib/public/Authentication/Token/IToken.php
index 4f232b83d4e..8c047280924 100644
--- a/lib/public/Authentication/Token/IToken.php
+++ b/lib/public/Authentication/Token/IToken.php
@@ -35,6 +35,15 @@ interface IToken extends JsonSerializable {
 	public const REMEMBER = 1;
 
 	/**
+	 * @since 30.0.0
+	 */
+	public const SCOPE_FILESYSTEM = 'filesystem';
+	/**
+	 * @since 30.0.0
+	 */
+	public const SCOPE_SKIP_PASSWORD_VALIDATION = 'password-unconfirmable';
+
+	/**
 	 * Get the token ID
 	 * @since 28.0.0
 	 */
diff --git a/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php
index f1030c449e2..beee7151264 100644
--- a/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php
@@ -181,7 +181,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
 
 		$token = $this->createMock(IToken::class);
 		$token->method('getScopeAsArray')
-			->willReturn(['sso-based-login' => true]);
+			->willReturn([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]);
 		$this->tokenProvider->expects($this->once())
 			->method('getToken')
 			->with($sessionId)
diff --git a/tests/lib/Authentication/Token/PublicKeyTokenTest.php b/tests/lib/Authentication/Token/PublicKeyTokenTest.php
index acbddebea35..cc8890002e9 100644
--- a/tests/lib/Authentication/Token/PublicKeyTokenTest.php
+++ b/tests/lib/Authentication/Token/PublicKeyTokenTest.php
@@ -9,11 +9,12 @@ declare(strict_types=1);
 namespace Test\Authentication\Token;
 
 use OC\Authentication\Token\PublicKeyToken;
+use OCP\Authentication\Token\IToken;
 use Test\TestCase;
 
 class PublicKeyTokenTest extends TestCase {
 	public function testSetScopeAsArray() {
-		$scope = ['filesystem' => false];
+		$scope = [IToken::SCOPE_FILESYSTEM => false];
 		$token = new PublicKeyToken();
 		$token->setScope($scope);
 		$this->assertEquals(json_encode($scope), $token->getScope());
@@ -21,7 +22,7 @@ class PublicKeyTokenTest extends TestCase {
 	}
 
 	public function testDefaultScope() {
-		$scope = ['filesystem' => true];
+		$scope = [IToken::SCOPE_FILESYSTEM => true];
 		$token = new PublicKeyToken();
 		$this->assertEquals($scope, $token->getScopeAsArray());
 	}
diff --git a/tests/lib/Lockdown/Filesystem/NoFSTest.php b/tests/lib/Lockdown/Filesystem/NoFSTest.php
index 08429228647..7a636fbaaaa 100644
--- a/tests/lib/Lockdown/Filesystem/NoFSTest.php
+++ b/tests/lib/Lockdown/Filesystem/NoFSTest.php
@@ -9,6 +9,7 @@ namespace Test\Lockdown\Filesystem;
 use OC\Authentication\Token\PublicKeyToken;
 use OC\Files\Filesystem;
 use OC\Lockdown\Filesystem\NullStorage;
+use OCP\Authentication\Token\IToken;
 use Test\Traits\UserTrait;
 
 /**
@@ -20,7 +21,7 @@ class NoFSTest extends \Test\TestCase {
 	protected function tearDown(): void {
 		$token = new PublicKeyToken();
 		$token->setScope([
-			'filesystem' => true
+			IToken::SCOPE_FILESYSTEM => true
 		]);
 		\OC::$server->get('LockdownManager')->setToken($token);
 		parent::tearDown();
@@ -30,7 +31,7 @@ class NoFSTest extends \Test\TestCase {
 		parent::setUp();
 		$token = new PublicKeyToken();
 		$token->setScope([
-			'filesystem' => false
+			IToken::SCOPE_FILESYSTEM => false
 		]);
 
 		\OC::$server->get('LockdownManager')->setToken($token);
diff --git a/tests/lib/Lockdown/LockdownManagerTest.php b/tests/lib/Lockdown/LockdownManagerTest.php
index 5ff5a84e800..bb71a6e63de 100644
--- a/tests/lib/Lockdown/LockdownManagerTest.php
+++ b/tests/lib/Lockdown/LockdownManagerTest.php
@@ -8,6 +8,7 @@ namespace Test\Lockdown;
 
 use OC\Authentication\Token\PublicKeyToken;
 use OC\Lockdown\LockdownManager;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use Test\TestCase;
 
@@ -29,7 +30,7 @@ class LockdownManagerTest extends TestCase {
 
 	public function testCanAccessFilesystemAllowed() {
 		$token = new PublicKeyToken();
-		$token->setScope(['filesystem' => true]);
+		$token->setScope([IToken::SCOPE_FILESYSTEM => true]);
 		$manager = new LockdownManager($this->sessionCallback);
 		$manager->setToken($token);
 		$this->assertTrue($manager->canAccessFilesystem());
@@ -37,7 +38,7 @@ class LockdownManagerTest extends TestCase {
 
 	public function testCanAccessFilesystemNotAllowed() {
 		$token = new PublicKeyToken();
-		$token->setScope(['filesystem' => false]);
+		$token->setScope([IToken::SCOPE_FILESYSTEM => false]);
 		$manager = new LockdownManager($this->sessionCallback);
 		$manager->setToken($token);
 		$this->assertFalse($manager->canAccessFilesystem());
author	Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-03-15 12:51:31 +0100
committer	Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-05 19:01:14 +0200
commit	f6d6efef3a26fc5524988cdfba780dce035cd61b (patch)
tree	ea3caeb6b4a9e10b013eb1562135eb6a1973f607
parent	340939e688fab5c52061bc9e358587fbd8ec9fc8 (diff)
download	nextcloud-server-f6d6efef3a26fc5524988cdfba780dce035cd61b.tar.gz nextcloud-server-f6d6efef3a26fc5524988cdfba780dce035cd61b.zip