diff options
author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-09-03 10:52:05 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2016-09-26 11:55:42 +0200 |
commit | d884370844c7f807b10aa09e63cb814927011572 (patch) | |
tree | ebafe7b1be706aad48b9aed2b631c5013ee3230c | |
parent | 4659e3ab599f18069765cb2414a8ace8bdf30ca8 (diff) | |
download | nextcloud-server-d884370844c7f807b10aa09e63cb814927011572.tar.gz nextcloud-server-d884370844c7f807b10aa09e63cb814927011572.zip |
Use true random string as uri for public calendars - as a result we can no longer return the pre-publish-url
-rw-r--r-- | apps/dav/appinfo/v1/caldav.php | 4 | ||||
-rw-r--r-- | apps/dav/lib/AppInfo/Application.php | 5 | ||||
-rw-r--r-- | apps/dav/lib/CalDAV/CalDavBackend.php | 26 | ||||
-rw-r--r-- | apps/dav/lib/CalDAV/Calendar.php | 5 | ||||
-rw-r--r-- | apps/dav/lib/CalDAV/Publishing/PublishPlugin.php | 14 | ||||
-rw-r--r-- | apps/dav/lib/Command/CreateCalendar.php | 3 | ||||
-rw-r--r-- | apps/dav/lib/DAV/PublicAuth.php | 4 | ||||
-rw-r--r-- | apps/dav/lib/RootCollection.php | 6 | ||||
-rw-r--r-- | apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php | 8 | ||||
-rw-r--r-- | apps/dav/tests/unit/CalDAV/CalDavBackendTest.php | 2 | ||||
-rw-r--r-- | apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php | 43 |
11 files changed, 73 insertions, 47 deletions
diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php index d9606f20b72..d18e93dd7a9 100644 --- a/apps/dav/appinfo/v1/caldav.php +++ b/apps/dav/appinfo/v1/caldav.php @@ -47,7 +47,9 @@ $principalBackend = new Principal( ); $db = \OC::$server->getDatabaseConnection(); $config = \OC::$server->getConfig(); -$calDavBackend = new CalDavBackend($db, $principalBackend, \OC::$server->getUserManager(), $config); +$userManager = \OC::$server->getUserManager(); +$random = \OC::$server->getSecureRandom(); +$calDavBackend = new CalDavBackend($db, $principalBackend, $userManager, $config, $random); $debugging = \OC::$server->getConfig()->getSystemValue('debug', false); diff --git a/apps/dav/lib/AppInfo/Application.php b/apps/dav/lib/AppInfo/Application.php index 8bc43da5649..69a5e336bbf 100644 --- a/apps/dav/lib/AppInfo/Application.php +++ b/apps/dav/lib/AppInfo/Application.php @@ -81,12 +81,15 @@ class Application extends App { $container->registerService('CalDavBackend', function($c) { /** @var IAppContainer $c */ $db = $c->getServer()->getDatabaseConnection(); + $userManager = $c->getServer()->getUserManager(); $config = $c->getServer()->getConfig(); + $random = $c->getServer()->getSecureRandom(); + $principal = new Principal( $c->getServer()->getUserManager(), $c->getServer()->getGroupManager() ); - return new CalDavBackend($db, $principal, $c->getServer()->getUserManager(), $config); + return new CalDavBackend($db, $principal, $userManager, $config, $random); }); $container->registerService('BirthdayService', function($c) { diff --git a/apps/dav/lib/CalDAV/CalDavBackend.php b/apps/dav/lib/CalDAV/CalDavBackend.php index 0cdfcd69571..7b8c1be51f5 100644 --- a/apps/dav/lib/CalDAV/CalDavBackend.php +++ b/apps/dav/lib/CalDAV/CalDavBackend.php @@ -33,6 +33,7 @@ use OCP\IConfig; use OCP\IDBConnection; use OCP\IUser; use OCP\IUserManager; +use OCP\Security\ISecureRandom; use Sabre\CalDAV\Backend\AbstractBackend; use Sabre\CalDAV\Backend\SchedulingSupport; use Sabre\CalDAV\Backend\SubscriptionSupport; @@ -124,6 +125,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription /** @var IConfig */ private $config; + /** @var ISecureRandom */ + private $random; + /** * CalDavBackend constructor. * @@ -131,16 +135,19 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription * @param Principal $principalBackend * @param IUserManager $userManager * @param IConfig $config + * @param ISecureRandom $random */ public function __construct(IDBConnection $db, Principal $principalBackend, IUserManager $userManager, - IConfig $config) { + IConfig $config, + ISecureRandom $random) { $this->db = $db; $this->principalBackend = $principalBackend; $this->userManager = $userManager; $this->sharingBackend = new Backend($this->db, $principalBackend, 'calendar'); $this->config = $config; + $this->random = $random; } /** @@ -400,10 +407,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription if ($row['components']) { $components = explode(',',$row['components']); } - $uri = md5($this->config->getSystemValue('secret', '') . $row['id']); $calendar = [ 'id' => $row['id'], - 'uri' => $uri, + 'uri' => $row['publicuri'], 'principaluri' => $row['principaluri'], '{' . Plugin::NS_CALENDARSERVER . '}getctag' => 'http://sabre.io/ns/sync/' . ($row['synctoken']?$row['synctoken']:'0'), '{http://sabredav.org/ns}sync-token' => $row['synctoken']?$row['synctoken']:'0', @@ -1601,24 +1607,28 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription /** * @param boolean $value * @param \OCA\DAV\CalDAV\Calendar $calendar + * @return string|null */ public function setPublishStatus($value, $calendar) { $query = $this->db->getQueryBuilder(); if ($value) { + $publicUri = $this->random->generate(16, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS); $query->insert('dav_shares') ->values([ 'principaluri' => $query->createNamedParameter($calendar->getPrincipalURI()), 'type' => $query->createNamedParameter('calendar'), 'access' => $query->createNamedParameter(self::ACCESS_PUBLIC), 'resourceid' => $query->createNamedParameter($calendar->getResourceId()), - 'publicuri' => $query->createNamedParameter(md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId())) + 'publicuri' => $query->createNamedParameter($publicUri) ]); - } else { - $query->delete('dav_shares') - ->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId()))) - ->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC))); + $query->execute(); + return $publicUri; } + $query->delete('dav_shares') + ->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId()))) + ->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC))); $query->execute(); + return null; } /** diff --git a/apps/dav/lib/CalDAV/Calendar.php b/apps/dav/lib/CalDAV/Calendar.php index d6799d1827b..5fe9be8957d 100644 --- a/apps/dav/lib/CalDAV/Calendar.php +++ b/apps/dav/lib/CalDAV/Calendar.php @@ -252,9 +252,12 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable { /** * @param boolean $value + * @return string|null */ function setPublishStatus($value) { - $this->caldavBackend->setPublishStatus($value, $this); + $publicUri = $this->caldavBackend->setPublishStatus($value, $this); + $this->calendarInfo['publicuri'] = $publicUri; + return $publicUri; } /** diff --git a/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php b/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php index 7434da6b62e..0e5377d30c1 100644 --- a/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php +++ b/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php @@ -94,22 +94,16 @@ class PublishPlugin extends ServerPlugin { public function propFind(PropFind $propFind, INode $node) { if ($node instanceof Calendar) { - $token = md5($this->config->getSystemValue('secret', '').$node->getResourceId()); - - $publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token; - - $propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node, $publishUrl) { + $propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node) { if ($node->getPublishStatus()) { // We return the publish-url only if the calendar is published. + $token = $node->getName(); + $publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token; + return new Publisher($publishUrl, true); } }); - $propFind->handle('{'.self::NS_CALENDARSERVER.'}pre-publish-url', function () use ($node, $publishUrl) { - // The pre-publish-url is always returned - return new Publisher($publishUrl, false); - }); - $propFind->handle('{'.self::NS_CALENDARSERVER.'}allowed-sharing-modes', function() use ($node) { return new AllowedSharingModes(!$node->isSubscription(), !$node->isSubscription()); }); diff --git a/apps/dav/lib/Command/CreateCalendar.php b/apps/dav/lib/Command/CreateCalendar.php index 54cb06db666..da1f706a8b8 100644 --- a/apps/dav/lib/Command/CreateCalendar.php +++ b/apps/dav/lib/Command/CreateCalendar.php @@ -76,9 +76,10 @@ class CreateCalendar extends Command { $this->groupManager ); $config = \OC::$server->getConfig(); + $random = \OC::$server->getSecureRandom(); $name = $input->getArgument('name'); - $caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config); + $caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config, $random); $caldav->createCalendar("principals/users/$user", $name, []); } } diff --git a/apps/dav/lib/DAV/PublicAuth.php b/apps/dav/lib/DAV/PublicAuth.php index 3f5d37f1a69..33588fc0add 100644 --- a/apps/dav/lib/DAV/PublicAuth.php +++ b/apps/dav/lib/DAV/PublicAuth.php @@ -86,10 +86,6 @@ class PublicAuth implements BackendInterface { * @return bool */ private function isRequestPublic(RequestInterface $request) { - $params = $request->getQueryParameters(); - if (isset($params['sabreAction']) && $params['sabreAction'] == 'asset') { - return true; - } $url = $request->getPath(); $matchingUrls = array_filter($this->publicURLs, function ($publicUrl) use ($url) { return strpos($url, $publicUrl, 0) === 0; diff --git a/apps/dav/lib/RootCollection.php b/apps/dav/lib/RootCollection.php index f99d5850212..4c76dc30c3f 100644 --- a/apps/dav/lib/RootCollection.php +++ b/apps/dav/lib/RootCollection.php @@ -39,10 +39,12 @@ class RootCollection extends SimpleCollection { public function __construct() { $config = \OC::$server->getConfig(); + $random = \OC::$server->getSecureRandom(); + $userManager = \OC::$server->getUserManager(); $db = \OC::$server->getDatabaseConnection(); $dispatcher = \OC::$server->getEventDispatcher(); $userPrincipalBackend = new Principal( - \OC::$server->getUserManager(), + $userManager, \OC::$server->getGroupManager() ); $groupPrincipalBackend = new GroupPrincipalBackend( @@ -60,7 +62,7 @@ class RootCollection extends SimpleCollection { $systemPrincipals->disableListing = $disableListing; $filesCollection = new Files\RootCollection($userPrincipalBackend, 'principals/users'); $filesCollection->disableListing = $disableListing; - $caldavBackend = new CalDavBackend($db, $userPrincipalBackend, \OC::$server->getUserManager(), $config); + $caldavBackend = new CalDavBackend($db, $userPrincipalBackend, $userManager, $config, $random); $calendarRoot = new CalendarRoot($userPrincipalBackend, $caldavBackend, 'principals/users'); $calendarRoot->disableListing = $disableListing; $publicCalendarRoot = new PublicCalendarRoot($caldavBackend); diff --git a/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php index 589c00c377a..2559ecbbf89 100644 --- a/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php +++ b/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php @@ -29,6 +29,7 @@ use OCA\DAV\CalDAV\Calendar; use OCA\DAV\Connector\Sabre\Principal; use OCP\IL10N; use OCP\IConfig; +use OCP\Security\ISecureRandom; use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet; use Sabre\DAV\PropPatch; use Sabre\DAV\Xml\Property\Href; @@ -56,6 +57,9 @@ abstract class AbstractCalDavBackendTest extends TestCase { /** var OCP\IConfig */ protected $config; + /** @var ISecureRandom */ + private $random; + const UNIT_TEST_USER = 'principals/users/caldav-unit-test'; const UNIT_TEST_USER1 = 'principals/users/caldav-unit-test1'; const UNIT_TEST_GROUP = 'principals/groups/caldav-unit-test-group'; @@ -80,8 +84,8 @@ abstract class AbstractCalDavBackendTest extends TestCase { $db = \OC::$server->getDatabaseConnection(); $this->config = \OC::$server->getConfig(); - $this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config); - + $this->random = \OC::$server->getSecureRandom(); + $this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config, $this->random); $this->tearDown(); } diff --git a/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php index 0c07ed7c292..6f846515d8e 100644 --- a/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php +++ b/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php @@ -350,7 +350,7 @@ EOD; $this->assertEquals(1, count($publicCalendars)); $this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']); - $publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId()); + $publicCalendarURI = $publicCalendars[0]['uri']; $publicCalendar = $this->backend->getPublicCalendar($publicCalendarURI); $this->assertEquals(true, $publicCalendar['{http://owncloud.org/ns}public']); diff --git a/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php b/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php index 85aad24d368..6dfec6d7e1f 100644 --- a/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php +++ b/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php @@ -5,12 +5,11 @@ namespace OCA\DAV\Tests\unit\CalDAV; use OCA\DAV\CalDAV\Calendar; use OCA\DAV\Connector\Sabre\Principal; use OCP\IL10N; -use OCP\IConfig; use OCA\DAV\CalDAV\CalDavBackend; use OCA\DAV\CalDAV\PublicCalendarRoot; use OCP\IUserManager; +use OCP\Security\ISecureRandom; use Test\TestCase; -use Sabre\Uri; /** * Class PublicCalendarRootTest @@ -22,13 +21,10 @@ use Sabre\Uri; class PublicCalendarRootTest extends TestCase { const UNIT_TEST_USER = 'principals/users/caldav-unit-test'; - /** @var CalDavBackend */ private $backend; - /** @var PublicCalendarRoot */ private $publicCalendarRoot; - /** @var IL10N */ private $l10n; /** @var IUserManager */ @@ -37,6 +33,8 @@ class PublicCalendarRootTest extends TestCase { private $principal; /** var IConfig */ protected $config; + /** @var ISecureRandom */ + private $random; public function setUp() { parent::setUp(); @@ -47,12 +45,14 @@ class PublicCalendarRootTest extends TestCase { ->getMock(); $this->config = \OC::$server->getConfig(); $this->userManager = $this->getMockBuilder('\OCP\IUserManager')->getMock(); + $this->random = \OC::$server->getSecureRandom(); $this->backend = new CalDavBackend( $db, $this->principal, $this->userManager, - $this->config + $this->config, + $this->random ); $this->publicCalendarRoot = new PublicCalendarRoot($this->backend); @@ -61,6 +61,18 @@ class PublicCalendarRootTest extends TestCase { ->disableOriginalConstructor()->getMock(); } + public function tearDown() { + parent::tearDown(); + + if (is_null($this->backend)) { + return; + } + $books = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER); + foreach ($books as $book) { + $this->backend->deleteCalendar($book['id']); + } + } + public function testGetName() { $name = $this->publicCalendarRoot->getName(); $this->assertEquals('public-calendars', $name); @@ -70,13 +82,18 @@ class PublicCalendarRootTest extends TestCase { $calendar = $this->createPublicCalendar(); - $publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId()); + $publicCalendars = $this->backend->getPublicCalendars(); + $this->assertEquals(1, count($publicCalendars)); + $this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']); + + $publicCalendarURI = $publicCalendars[0]['uri']; $calendarResult = $this->publicCalendarRoot->getChild($publicCalendarURI); $this->assertEquals($calendar, $calendarResult); } public function testGetChildren() { + $this->createPublicCalendar(); $publicCalendars = $this->backend->getPublicCalendars(); @@ -84,7 +101,6 @@ class PublicCalendarRootTest extends TestCase { $this->assertEquals(1, count($calendarResults)); $this->assertEquals(new Calendar($this->backend, $publicCalendars[0], $this->l10n), $calendarResults[0]); - } /** @@ -94,16 +110,11 @@ class PublicCalendarRootTest extends TestCase { $this->backend->createCalendar(self::UNIT_TEST_USER, 'Example', []); $calendarInfo = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER)[0]; + $calendar = new Calendar($this->backend, $calendarInfo, $this->l10n); + $publicUri = $calendar->setPublishStatus(true); - $calendarInfo['uri'] = md5($this->config->getSystemValue('secret', '') . $calendarInfo['id']); - list(, $name) = Uri\split($calendarInfo['principaluri']); - $calendarInfo['{DAV:}displayname'] = $calendarInfo['{DAV:}displayname'] . ' (' . $name . ')'; - $calendarInfo['{http://owncloud.org/ns}owner-principal'] = $calendarInfo['principaluri']; - $calendarInfo['{http://owncloud.org/ns}read-only'] = false; - $calendarInfo['{http://owncloud.org/ns}public'] = true; - + $calendarInfo = $this->backend->getPublicCalendar($publicUri); $calendar = new Calendar($this->backend, $calendarInfo, $this->l10n); - $calendar->setPublishStatus(true); return $calendar; } |