Use true random string as uri for public calendars - as a result we can no longer return the pre-publish-url

11 files changed, 73 insertions, 47 deletions

diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php
index d9606f20b72..d18e93dd7a9 100644
--- a/apps/dav/appinfo/v1/caldav.php
+++ b/apps/dav/appinfo/v1/caldav.php
@@ -47,7 +47,9 @@ $principalBackend = new Principal(
 );
 $db = \OC::$server->getDatabaseConnection();
 $config = \OC::$server->getConfig();
-$calDavBackend = new CalDavBackend($db, $principalBackend, \OC::$server->getUserManager(), $config);
+$userManager = \OC::$server->getUserManager();
+$random = \OC::$server->getSecureRandom();
+$calDavBackend = new CalDavBackend($db, $principalBackend, $userManager, $config, $random);
 
 $debugging = \OC::$server->getConfig()->getSystemValue('debug', false);
 
diff --git a/apps/dav/lib/AppInfo/Application.php b/apps/dav/lib/AppInfo/Application.php
index 8bc43da5649..69a5e336bbf 100644
--- a/apps/dav/lib/AppInfo/Application.php
+++ b/apps/dav/lib/AppInfo/Application.php
@@ -81,12 +81,15 @@ class Application extends App {
 		$container->registerService('CalDavBackend', function($c) {
 			/** @var IAppContainer $c */
 			$db = $c->getServer()->getDatabaseConnection();
+			$userManager = $c->getServer()->getUserManager();
 			$config = $c->getServer()->getConfig();
+			$random = $c->getServer()->getSecureRandom();
+
 			$principal = new Principal(
 				$c->getServer()->getUserManager(),
 				$c->getServer()->getGroupManager()
 			);
-			return new CalDavBackend($db, $principal, $c->getServer()->getUserManager(), $config);
+			return new CalDavBackend($db, $principal, $userManager, $config, $random);
 		});
 
 		$container->registerService('BirthdayService', function($c) {
diff --git a/apps/dav/lib/CalDAV/CalDavBackend.php b/apps/dav/lib/CalDAV/CalDavBackend.php
index 0cdfcd69571..7b8c1be51f5 100644
--- a/apps/dav/lib/CalDAV/CalDavBackend.php
+++ b/apps/dav/lib/CalDAV/CalDavBackend.php
@@ -33,6 +33,7 @@ use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\IUser;
 use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Backend\AbstractBackend;
 use Sabre\CalDAV\Backend\SchedulingSupport;
 use Sabre\CalDAV\Backend\SubscriptionSupport;
@@ -124,6 +125,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 	/** @var IConfig */
 	private $config;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	/**
 	 * CalDavBackend constructor.
 	 *
@@ -131,16 +135,19 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 	 * @param Principal $principalBackend
 	 * @param IUserManager $userManager
 	 * @param IConfig $config
+	 * @param ISecureRandom $random
 	 */
 	public function __construct(IDBConnection $db,
 								Principal $principalBackend,
 								IUserManager $userManager,
-								IConfig $config) {
+								IConfig $config,
+								ISecureRandom $random) {
 		$this->db = $db;
 		$this->principalBackend = $principalBackend;
 		$this->userManager = $userManager;
 		$this->sharingBackend = new Backend($this->db, $principalBackend, 'calendar');
 		$this->config = $config;
+		$this->random = $random;
 	}
 
 	/**
@@ -400,10 +407,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 		if ($row['components']) {
 			$components = explode(',',$row['components']);
 		}
-		$uri = md5($this->config->getSystemValue('secret', '') . $row['id']);
 		$calendar = [
 			'id' => $row['id'],
-			'uri' => $uri,
+			'uri' => $row['publicuri'],
 			'principaluri' => $row['principaluri'],
 			'{' . Plugin::NS_CALENDARSERVER . '}getctag' => 'http://sabre.io/ns/sync/' . ($row['synctoken']?$row['synctoken']:'0'),
 			'{http://sabredav.org/ns}sync-token' => $row['synctoken']?$row['synctoken']:'0',
@@ -1601,24 +1607,28 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 	/**
 	 * @param boolean $value
 	 * @param \OCA\DAV\CalDAV\Calendar $calendar
+	 * @return string|null
 	 */
 	public function setPublishStatus($value, $calendar) {
 		$query = $this->db->getQueryBuilder();
 		if ($value) {
+			$publicUri = $this->random->generate(16, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS);
 			$query->insert('dav_shares')
 				->values([
 					'principaluri' => $query->createNamedParameter($calendar->getPrincipalURI()),
 					'type' => $query->createNamedParameter('calendar'),
 					'access' => $query->createNamedParameter(self::ACCESS_PUBLIC),
 					'resourceid' => $query->createNamedParameter($calendar->getResourceId()),
-					'publicuri' => $query->createNamedParameter(md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId()))
+					'publicuri' => $query->createNamedParameter($publicUri)
 				]);
-		} else {
-			$query->delete('dav_shares')
-				->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
-				->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
+			$query->execute();
+			return $publicUri;
 		}
+		$query->delete('dav_shares')
+			->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
+			->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
 		$query->execute();
+		return null;
 	}
 
 	/**
diff --git a/apps/dav/lib/CalDAV/Calendar.php b/apps/dav/lib/CalDAV/Calendar.php
index d6799d1827b..5fe9be8957d 100644
--- a/apps/dav/lib/CalDAV/Calendar.php
+++ b/apps/dav/lib/CalDAV/Calendar.php
@@ -252,9 +252,12 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
 
 	/**
 	 * @param boolean $value
+	 * @return string|null
 	 */
 	function setPublishStatus($value) {
-		$this->caldavBackend->setPublishStatus($value, $this);
+		$publicUri = $this->caldavBackend->setPublishStatus($value, $this);
+		$this->calendarInfo['publicuri'] = $publicUri;
+		return $publicUri;
 	}
 
 	/**
diff --git a/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php b/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php
index 7434da6b62e..0e5377d30c1 100644
--- a/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php
+++ b/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php
@@ -94,22 +94,16 @@ class PublishPlugin extends ServerPlugin {
 
 	public function propFind(PropFind $propFind, INode $node) {
 		if ($node instanceof Calendar) {
-			$token = md5($this->config->getSystemValue('secret', '').$node->getResourceId());
-
-			$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
-
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node, $publishUrl) {
+			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node) {
 				if ($node->getPublishStatus()) {
 					// We return the publish-url only if the calendar is published.
+					$token = $node->getName();
+					$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
+
 					return new Publisher($publishUrl, true);
 				}
 			});
 
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}pre-publish-url', function () use ($node, $publishUrl) {
-				// The pre-publish-url is always returned
-				return new Publisher($publishUrl, false);
-			});
-
 			$propFind->handle('{'.self::NS_CALENDARSERVER.'}allowed-sharing-modes', function() use ($node) {
 				return new AllowedSharingModes(!$node->isSubscription(), !$node->isSubscription());
 			});
diff --git a/apps/dav/lib/Command/CreateCalendar.php b/apps/dav/lib/Command/CreateCalendar.php
index 54cb06db666..da1f706a8b8 100644
--- a/apps/dav/lib/Command/CreateCalendar.php
+++ b/apps/dav/lib/Command/CreateCalendar.php
@@ -76,9 +76,10 @@ class CreateCalendar extends Command {
 			$this->groupManager
 		);
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
 
 		$name = $input->getArgument('name');
-		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config);
+		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config, $random);
 		$caldav->createCalendar("principals/users/$user", $name, []);
 	}
 }
diff --git a/apps/dav/lib/DAV/PublicAuth.php b/apps/dav/lib/DAV/PublicAuth.php
index 3f5d37f1a69..33588fc0add 100644
--- a/apps/dav/lib/DAV/PublicAuth.php
+++ b/apps/dav/lib/DAV/PublicAuth.php
@@ -86,10 +86,6 @@ class PublicAuth implements BackendInterface {
 	 * @return bool
 	 */
 	private function isRequestPublic(RequestInterface $request) {
-		$params = $request->getQueryParameters();
-		if (isset($params['sabreAction']) && $params['sabreAction'] == 'asset') {
-			return true;
-		}
 		$url = $request->getPath();
 		$matchingUrls = array_filter($this->publicURLs, function ($publicUrl) use ($url) {
 			return strpos($url, $publicUrl, 0) === 0;
diff --git a/apps/dav/lib/RootCollection.php b/apps/dav/lib/RootCollection.php
index f99d5850212..4c76dc30c3f 100644
--- a/apps/dav/lib/RootCollection.php
+++ b/apps/dav/lib/RootCollection.php
@@ -39,10 +39,12 @@ class RootCollection extends SimpleCollection {
 
 	public function __construct() {
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
+		$userManager = \OC::$server->getUserManager();
 		$db = \OC::$server->getDatabaseConnection();
 		$dispatcher = \OC::$server->getEventDispatcher();
 		$userPrincipalBackend = new Principal(
-			\OC::$server->getUserManager(),
+			$userManager,
 			\OC::$server->getGroupManager()
 		);
 		$groupPrincipalBackend = new GroupPrincipalBackend(
@@ -60,7 +62,7 @@ class RootCollection extends SimpleCollection {
 		$systemPrincipals->disableListing = $disableListing;
 		$filesCollection = new Files\RootCollection($userPrincipalBackend, 'principals/users');
 		$filesCollection->disableListing = $disableListing;
-		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, \OC::$server->getUserManager(), $config);
+		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, $userManager, $config, $random);
 		$calendarRoot = new CalendarRoot($userPrincipalBackend, $caldavBackend, 'principals/users');
 		$calendarRoot->disableListing = $disableListing;
 		$publicCalendarRoot = new PublicCalendarRoot($caldavBackend);
diff --git a/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php
index 589c00c377a..2559ecbbf89 100644
--- a/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php
+++ b/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php
@@ -29,6 +29,7 @@ use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\Connector\Sabre\Principal;
 use OCP\IL10N;
 use OCP\IConfig;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet;
 use Sabre\DAV\PropPatch;
 use Sabre\DAV\Xml\Property\Href;
@@ -56,6 +57,9 @@ abstract class AbstractCalDavBackendTest extends TestCase {
 	/** var OCP\IConfig */
 	protected $config;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	const UNIT_TEST_USER = 'principals/users/caldav-unit-test';
 	const UNIT_TEST_USER1 = 'principals/users/caldav-unit-test1';
 	const UNIT_TEST_GROUP = 'principals/groups/caldav-unit-test-group';
@@ -80,8 +84,8 @@ abstract class AbstractCalDavBackendTest extends TestCase {
 
 		$db = \OC::$server->getDatabaseConnection();
 		$this->config = \OC::$server->getConfig();
-		$this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config);
-
+		$this->random = \OC::$server->getSecureRandom();
+		$this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config, $this->random);
 		$this->tearDown();
 	}
 
diff --git a/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php
index 0c07ed7c292..6f846515d8e 100644
--- a/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php
+++ b/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php
@@ -350,7 +350,7 @@ EOD;
 		$this->assertEquals(1, count($publicCalendars));
 		$this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']);
 
-		$publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId());
+		$publicCalendarURI = $publicCalendars[0]['uri'];
 		$publicCalendar = $this->backend->getPublicCalendar($publicCalendarURI);
 		$this->assertEquals(true, $publicCalendar['{http://owncloud.org/ns}public']);
 
diff --git a/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php b/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php
index 85aad24d368..6dfec6d7e1f 100644
--- a/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php
+++ b/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php
@@ -5,12 +5,11 @@ namespace OCA\DAV\Tests\unit\CalDAV;
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\Connector\Sabre\Principal;
 use OCP\IL10N;
-use OCP\IConfig;
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\PublicCalendarRoot;
 use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
 use Test\TestCase;
-use Sabre\Uri;
 
 /**
  * Class PublicCalendarRootTest
@@ -22,13 +21,10 @@ use Sabre\Uri;
 class PublicCalendarRootTest extends TestCase {
 
 	const UNIT_TEST_USER = 'principals/users/caldav-unit-test';
-
 	/** @var CalDavBackend */
 	private $backend;
-
 	/** @var PublicCalendarRoot */
 	private $publicCalendarRoot;
-
 	/** @var IL10N */
 	private $l10n;
 	/** @var IUserManager */
@@ -37,6 +33,8 @@ class PublicCalendarRootTest extends TestCase {
 	private $principal;
 	/** var IConfig */
 	protected $config;
+	/** @var ISecureRandom */
+	private $random;
 
 	public function setUp() {
 		parent::setUp();
@@ -47,12 +45,14 @@ class PublicCalendarRootTest extends TestCase {
 			->getMock();
 		$this->config = \OC::$server->getConfig();
 		$this->userManager = $this->getMockBuilder('\OCP\IUserManager')->getMock();
+		$this->random = \OC::$server->getSecureRandom();
 
 		$this->backend = new CalDavBackend(
 			$db,
 			$this->principal,
 			$this->userManager,
-			$this->config
+			$this->config,
+			$this->random
 		);
 
 		$this->publicCalendarRoot = new PublicCalendarRoot($this->backend);
@@ -61,6 +61,18 @@ class PublicCalendarRootTest extends TestCase {
 			->disableOriginalConstructor()->getMock();
 	}
 
+	public function tearDown() {
+		parent::tearDown();
+
+		if (is_null($this->backend)) {
+			return;
+		}
+		$books = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER);
+		foreach ($books as $book) {
+			$this->backend->deleteCalendar($book['id']);
+		}
+	}
+
 	public function testGetName() {
 		$name = $this->publicCalendarRoot->getName();
 		$this->assertEquals('public-calendars', $name);
@@ -70,13 +82,18 @@ class PublicCalendarRootTest extends TestCase {
 
 		$calendar = $this->createPublicCalendar();
 
-		$publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId());
+		$publicCalendars = $this->backend->getPublicCalendars();
+		$this->assertEquals(1, count($publicCalendars));
+		$this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']);
+
+		$publicCalendarURI = $publicCalendars[0]['uri'];
 
 		$calendarResult = $this->publicCalendarRoot->getChild($publicCalendarURI);
 		$this->assertEquals($calendar, $calendarResult);
 	}
 
 	public function testGetChildren() {
+		$this->createPublicCalendar();
 
 		$publicCalendars = $this->backend->getPublicCalendars();
 
@@ -84,7 +101,6 @@ class PublicCalendarRootTest extends TestCase {
 
 		$this->assertEquals(1, count($calendarResults));
 		$this->assertEquals(new Calendar($this->backend, $publicCalendars[0], $this->l10n), $calendarResults[0]);
-
 	}
 
 	/**
@@ -94,16 +110,11 @@ class PublicCalendarRootTest extends TestCase {
 		$this->backend->createCalendar(self::UNIT_TEST_USER, 'Example', []);
 
 		$calendarInfo = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER)[0];
+		$calendar = new Calendar($this->backend, $calendarInfo, $this->l10n);
+		$publicUri = $calendar->setPublishStatus(true);
 
-		$calendarInfo['uri'] = md5($this->config->getSystemValue('secret', '') . $calendarInfo['id']);
-		list(, $name) = Uri\split($calendarInfo['principaluri']);
-		$calendarInfo['{DAV:}displayname'] = $calendarInfo['{DAV:}displayname'] . ' (' . $name . ')';
-		$calendarInfo['{http://owncloud.org/ns}owner-principal'] = $calendarInfo['principaluri'];
-		$calendarInfo['{http://owncloud.org/ns}read-only'] = false;
-		$calendarInfo['{http://owncloud.org/ns}public'] = true;
-
+		$calendarInfo = $this->backend->getPublicCalendar($publicUri);
 		$calendar = new Calendar($this->backend, $calendarInfo, $this->l10n);
-		$calendar->setPublishStatus(true);
 
 		return $calendar;
 	}