diff options
| author | blizzz <blizzz@arthur-schiwon.de> | 2018-08-15 19:08:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-15 19:08:11 +0200 |
| commit | 853e55e31a7f123f920aafcf4d7c92fde5db157b (patch) | |
| tree | b19cff053aeba5e414c0f32748fbc400713c4203 | |
| parent | 294baf8e5d847ff85e2cf158c13dc02cc3c546ea (diff) | |
| parent | 5b54b8cba2aa55ae4804086fc94086be9199708b (diff) | |
| download | nextcloud-server-853e55e31a7f123f920aafcf4d7c92fde5db157b.tar.gz nextcloud-server-853e55e31a7f123f920aafcf4d7c92fde5db157b.zip | |
Merge pull request #10646 from nextcloud/fix-password-reset-stable13
[stable13] only warn about data lose on password reset if per-user keys are used
| -rw-r--r-- | core/Controller/LostController.php | 11 | ||||
| -rw-r--r-- | tests/Core/Controller/LostControllerTest.php | 42 |
2 files changed, 51 insertions, 2 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 5350dca0af6..ce98426084b 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -37,6 +37,7 @@ use OCP\AppFramework\Http\JSONResponse; use \OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; +use OCP\Encryption\IEncryptionModule; use OCP\Encryption\IManager; use \OCP\IURLGenerator; use \OCP\IRequest; @@ -259,7 +260,15 @@ class LostController extends Controller { } if ($this->encryptionManager->isEnabled() && !$proceed) { - return $this->error('', array('encryption' => true)); + $encryptionModules = $this->encryptionManager->getEncryptionModules(); + foreach ($encryptionModules as $module) { + /** @var IEncryptionModule $instance */ + $instance = call_user_func($module['callback']); + // this way we can find out whether per-user keys are used or a system wide encryption key + if ($instance->needDetailedAccessList()) { + return $this->error('', array('encryption' => true)); + } + } } try { diff --git a/tests/Core/Controller/LostControllerTest.php b/tests/Core/Controller/LostControllerTest.php index 1e51de649e3..61bdb219184 100644 --- a/tests/Core/Controller/LostControllerTest.php +++ b/tests/Core/Controller/LostControllerTest.php @@ -27,6 +27,7 @@ use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; +use OCP\Encryption\IEncryptionModule; use OCP\Encryption\IManager; use OCP\IConfig; use OCP\IL10N; @@ -713,10 +714,49 @@ class LostControllerTest extends \Test\TestCase { $this->assertEquals($expectedResponse, $response); } - public function testSetPasswordEncryptionDontProceed() { + public function testSetPasswordEncryptionDontProceedPerUserKey() { + /** @var IEncryptionModule|PHPUnit_Framework_MockObject_MockObject $encryptionModule */ + $encryptionModule = $this->createMock(IEncryptionModule::class); + $encryptionModule->expects($this->once())->method('needDetailedAccessList')->willReturn(true); + $this->encryptionManager->expects($this->once())->method('getEncryptionModules') + ->willReturn([0 => ['callback' => function() use ($encryptionModule) { return $encryptionModule; }]]); $response = $this->lostController->setPassword('myToken', 'user', 'newpass', false); $expectedResponse = ['status' => 'error', 'msg' => '', 'encryption' => true]; $this->assertSame($expectedResponse, $response); } + public function testSetPasswordDontProceedMasterKey() { + $encryptionModule = $this->createMock(IEncryptionModule::class); + $encryptionModule->expects($this->once())->method('needDetailedAccessList')->willReturn(false); + $this->encryptionManager->expects($this->once())->method('getEncryptionModules') + ->willReturn([0 => ['callback' => function() use ($encryptionModule) { return $encryptionModule; }]]); + $this->config->method('getUserValue') + ->with('ValidTokenUser', 'core', 'lostpassword', null) + ->willReturn('encryptedData'); + $this->existingUser->method('getLastLogin') + ->will($this->returnValue(12344)); + $this->existingUser->expects($this->once()) + ->method('setPassword') + ->with('NewPassword') + ->willReturn(true); + $this->userManager->method('get') + ->with('ValidTokenUser') + ->willReturn($this->existingUser); + $this->config->expects($this->once()) + ->method('deleteUserValue') + ->with('ValidTokenUser', 'core', 'lostpassword'); + $this->timeFactory->method('getTime') + ->will($this->returnValue(12348)); + + $this->crypto->method('decrypt') + ->with( + $this->equalTo('encryptedData'), + $this->equalTo('test@example.comSECRET') + )->willReturn('12345:TheOnlyAndOnlyOneTokenToResetThePassword'); + + $response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', false); + $expectedResponse = array('status' => 'success'); + $this->assertSame($expectedResponse, $response); + } + } |