Move \OC\Session to PSR-4

5 files changed, 613 insertions, 0 deletions

diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
new file mode 100644
index 00000000000..f6c585c1611
--- /dev/null
+++ b/lib/private/Session/CryptoSessionData.php
@@ -0,0 +1,186 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+use OCP\ISession;
+use OCP\Security\ICrypto;
+
+/**
+ * Class CryptoSessionData
+ *
+ * @package OC\Session
+ */
+class CryptoSessionData implements \ArrayAccess, ISession {
+	/** @var ISession */
+	protected $session;
+	/** @var \OCP\Security\ICrypto */
+	protected $crypto;
+	/** @var string */
+	protected $passphrase;
+	/** @var array */
+	protected $sessionValues;
+	/** @var bool */
+	protected $isModified = false;
+	CONST encryptedSessionName = 'encrypted_session_data';
+
+	/**
+	 * @param ISession $session
+	 * @param ICrypto $crypto
+	 * @param string $passphrase
+	 */
+	public function __construct(ISession $session,
+								ICrypto $crypto,
+								$passphrase) {
+		$this->crypto = $crypto;
+		$this->session = $session;
+		$this->passphrase = $passphrase;
+		$this->initializeSession();
+	}
+
+	/**
+	 * Close session if class gets destructed
+	 */
+	public function __destruct() {
+		$this->close();
+	}
+
+	protected function initializeSession() {
+		$encryptedSessionData = $this->session->get(self::encryptedSessionName);
+		try {
+			$this->sessionValues = json_decode(
+				$this->crypto->decrypt($encryptedSessionData, $this->passphrase),
+				true
+			);
+		} catch (\Exception $e) {
+			$this->sessionValues = [];
+		}
+	}
+
+	/**
+	 * Set a value in the session
+	 *
+	 * @param string $key
+	 * @param mixed $value
+	 */
+	public function set($key, $value) {
+		$this->sessionValues[$key] = $value;
+		$this->isModified = true;
+	}
+
+	/**
+	 * Get a value from the session
+	 *
+	 * @param string $key
+	 * @return string|null Either the value or null
+	 */
+	public function get($key) {
+		if(isset($this->sessionValues[$key])) {
+			return $this->sessionValues[$key];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Check if a named key exists in the session
+	 *
+	 * @param string $key
+	 * @return bool
+	 */
+	public function exists($key) {
+		return isset($this->sessionValues[$key]);
+	}
+
+	/**
+	 * Remove a $key/$value pair from the session
+	 *
+	 * @param string $key
+	 */
+	public function remove($key) {
+		$this->isModified = true;
+		unset($this->sessionValues[$key]);
+		$this->session->remove(self::encryptedSessionName);
+	}
+
+	/**
+	 * Reset and recreate the session
+	 */
+	public function clear() {
+		$this->sessionValues = [];
+		$this->isModified = true;
+		$this->session->clear();
+	}
+
+	/**
+	 * Wrapper around session_regenerate_id
+	 *
+	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @return void
+	 */
+	public function regenerateId($deleteOldSession = true) {
+		$this->session->regenerateId($deleteOldSession);
+	}
+
+	/**
+	 * Close the session and release the lock, also writes all changed data in batch
+	 */
+	public function close() {
+		if($this->isModified) {
+			$encryptedValue = $this->crypto->encrypt(json_encode($this->sessionValues), $this->passphrase);
+			$this->session->set(self::encryptedSessionName, $encryptedValue);
+			$this->isModified = false;
+		}
+		$this->session->close();
+	}
+
+	/**
+	 * @param mixed $offset
+	 * @return bool
+	 */
+	public function offsetExists($offset) {
+		return $this->exists($offset);
+	}
+
+	/**
+	 * @param mixed $offset
+	 * @return mixed
+	 */
+	public function offsetGet($offset) {
+		return $this->get($offset);
+	}
+
+	/**
+	 * @param mixed $offset
+	 * @param mixed $value
+	 */
+	public function offsetSet($offset, $value) {
+		$this->set($offset, $value);
+	}
+
+	/**
+	 * @param mixed $offset
+	 */
+	public function offsetUnset($offset) {
+		$this->remove($offset);
+	}
+}
diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
new file mode 100644
index 00000000000..f1819b31b89
--- /dev/null
+++ b/lib/private/Session/CryptoWrapper.php
@@ -0,0 +1,102 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ * @author Lukas Reschke <lukas@owncloud.com>
+ * @author Phil Davis <phil.davis@inf.org>
+ * @author Roeland Jago Douma <rullzer@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+use OCP\IConfig;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+
+/**
+ * Class CryptoWrapper provides some rough basic level of additional security by
+ * storing the session data in an encrypted form.
+ *
+ * The content of the session is encrypted using another cookie sent by the browser.
+ * One should note that an adversary with access to the source code or the system
+ * memory is still able to read the original session ID from the users' request.
+ * This thus can not be considered a strong security measure one should consider
+ * it as an additional small security obfuscation layer to comply with compliance
+ * guidelines.
+ *
+ * TODO: Remove this in a future release with an approach such as
+ * https://github.com/owncloud/core/pull/17866
+ *
+ * @package OC\Session
+ */
+class CryptoWrapper {
+	const COOKIE_NAME = 'oc_sessionPassphrase';
+
+	/** @var ISession */
+	protected $session;
+
+	/** @var \OCP\Security\ICrypto */
+	protected $crypto;
+
+	/** @var ISecureRandom */
+	protected $random;
+
+	/**
+	 * @param IConfig $config
+	 * @param ICrypto $crypto
+	 * @param ISecureRandom $random
+	 * @param IRequest $request
+	 */
+	public function __construct(IConfig $config,
+								ICrypto $crypto,
+								ISecureRandom $random,
+								IRequest $request) {
+		$this->crypto = $crypto;
+		$this->config = $config;
+		$this->random = $random;
+
+		if (!is_null($request->getCookie(self::COOKIE_NAME))) {
+			$this->passphrase = $request->getCookie(self::COOKIE_NAME);
+		} else {
+			$this->passphrase = $this->random->generate(128);
+			$secureCookie = $request->getServerProtocol() === 'https';
+			// FIXME: Required for CI
+			if (!defined('PHPUNIT_RUN')) {
+				$webRoot = \OC::$WEBROOT;
+				if($webRoot === '') {
+					$webRoot = '/';
+				}
+				setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
+			}
+		}
+	}
+
+	/**
+	 * @param ISession $session
+	 * @return ISession
+	 */
+	public function wrapSession(ISession $session) {
+		if (!($session instanceof CryptoSessionData)) {
+			return new CryptoSessionData($session, $this->crypto, $this->passphrase);
+		}
+
+		return $session;
+	}
+}
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
new file mode 100644
index 00000000000..09175bf1f2f
--- /dev/null
+++ b/lib/private/Session/Internal.php
@@ -0,0 +1,138 @@
+<?php
+/**
+ * @author cetra3 <peter@parashift.com.au>
+ * @author Lukas Reschke <lukas@owncloud.com>
+ * @author Morris Jobke <hey@morrisjobke.de>
+ * @author Phil Davis <phil.davis@inf.org>
+ * @author Robin Appelman <icewind@owncloud.com>
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+/**
+ * Class Internal
+ *
+ * wrap php's internal session handling into the Session interface
+ *
+ * @package OC\Session
+ */
+class Internal extends Session {
+	/**
+	 * @param string $name
+	 * @throws \Exception
+	 */
+	public function __construct($name) {
+		session_name($name);
+		set_error_handler(array($this, 'trapError'));
+		try {
+			session_start();
+		} catch (\Exception $e) {
+			setcookie(session_name(), null, -1, \OC::$WEBROOT ? : '/');
+		}
+		restore_error_handler();
+		if (!isset($_SESSION)) {
+			throw new \Exception('Failed to start session');
+		}
+	}
+
+	/**
+	 * @param string $key
+	 * @param integer $value
+	 */
+	public function set($key, $value) {
+		$this->validateSession();
+		$_SESSION[$key] = $value;
+	}
+
+	/**
+	 * @param string $key
+	 * @return mixed
+	 */
+	public function get($key) {
+		if (!$this->exists($key)) {
+			return null;
+		}
+		return $_SESSION[$key];
+	}
+
+	/**
+	 * @param string $key
+	 * @return bool
+	 */
+	public function exists($key) {
+		return isset($_SESSION[$key]);
+	}
+
+	/**
+	 * @param string $key
+	 */
+	public function remove($key) {
+		if (isset($_SESSION[$key])) {
+			unset($_SESSION[$key]);
+		}
+	}
+
+	public function clear() {
+		session_unset();
+		$this->regenerateId();
+		@session_start();
+		$_SESSION = array();
+	}
+
+	public function close() {
+		session_write_close();
+		parent::close();
+	}
+
+	/**
+	 * Wrapper around session_regenerate_id
+	 *
+	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @return void
+	 */
+	public function regenerateId($deleteOldSession = true) {
+		@session_regenerate_id($deleteOldSession);
+	}
+
+	/**
+	 * @throws \Exception
+	 */
+	public function reopen() {
+		throw new \Exception('The session cannot be reopened - reopen() is ony to be used in unit testing.');
+	}
+
+	/**
+	 * @param int $errorNumber
+	 * @param string $errorString
+	 * @throws \ErrorException
+	 */
+	public function trapError($errorNumber, $errorString) {
+		throw new \ErrorException($errorString);
+	}
+
+	/**
+	 * @throws \Exception
+	 */
+	private function validateSession() {
+		if ($this->sessionClosed) {
+			throw new \Exception('Session has been closed - no further changes to the session are allowed');
+		}
+	}
+}
diff --git a/lib/private/Session/Memory.php b/lib/private/Session/Memory.php
new file mode 100644
index 00000000000..777458a9aa5
--- /dev/null
+++ b/lib/private/Session/Memory.php
@@ -0,0 +1,108 @@
+<?php
+/**
+ * @author Jörn Friedrich Dreyer <jfd@butonic.de>
+ * @author Lukas Reschke <lukas@owncloud.com>
+ * @author Morris Jobke <hey@morrisjobke.de>
+ * @author Phil Davis <phil.davis@inf.org>
+ * @author Robin Appelman <icewind@owncloud.com>
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+/**
+ * Class Internal
+ *
+ * store session data in an in-memory array, not persistent
+ *
+ * @package OC\Session
+ */
+class Memory extends Session {
+	protected $data;
+
+	public function __construct($name) {
+		//no need to use $name since all data is already scoped to this instance
+		$this->data = array();
+	}
+
+	/**
+	 * @param string $key
+	 * @param integer $value
+	 */
+	public function set($key, $value) {
+		$this->validateSession();
+		$this->data[$key] = $value;
+	}
+
+	/**
+	 * @param string $key
+	 * @return mixed
+	 */
+	public function get($key) {
+		if (!$this->exists($key)) {
+			return null;
+		}
+		return $this->data[$key];
+	}
+
+	/**
+	 * @param string $key
+	 * @return bool
+	 */
+	public function exists($key) {
+		return isset($this->data[$key]);
+	}
+
+	/**
+	 * @param string $key
+	 */
+	public function remove($key) {
+		$this->validateSession();
+		unset($this->data[$key]);
+	}
+
+	public function clear() {
+		$this->data = array();
+	}
+
+	/**
+	 * Stub since the session ID does not need to get regenerated for the cache
+	 *
+	 * @param bool $deleteOldSession
+	 */
+	public function regenerateId($deleteOldSession = true) {}
+
+	/**
+	 * Helper function for PHPUnit execution - don't use in non-test code
+	 */
+	public function reopen() {
+		$this->sessionClosed = false;
+	}
+
+	/**
+	 * In case the session has already been locked an exception will be thrown
+	 *
+	 * @throws \Exception
+	 */
+	private function validateSession() {
+		if ($this->sessionClosed) {
+			throw new \Exception('Session has been closed - no further changes to the session are allowed');
+		}
+	}
+}
diff --git a/lib/private/Session/Session.php b/lib/private/Session/Session.php
new file mode 100644
index 00000000000..198d0049956
--- /dev/null
+++ b/lib/private/Session/Session.php
@@ -0,0 +1,79 @@
+<?php
+/**
+ * @author Morris Jobke <hey@morrisjobke.de>
+ * @author Robin Appelman <icewind@owncloud.com>
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+use OCP\ISession;
+
+abstract class Session implements \ArrayAccess, ISession {
+
+	/**
+	 * @var bool
+	 */
+	protected $sessionClosed = false;
+
+	/**
+	 * $name serves as a namespace for the session keys
+	 *
+	 * @param string $name
+	 */
+	abstract public function __construct($name);
+
+	/**
+	 * @param mixed $offset
+	 * @return bool
+	 */
+	public function offsetExists($offset) {
+		return $this->exists($offset);
+	}
+
+	/**
+	 * @param mixed $offset
+	 * @return mixed
+	 */
+	public function offsetGet($offset) {
+		return $this->get($offset);
+	}
+
+	/**
+	 * @param mixed $offset
+	 * @param mixed $value
+	 */
+	public function offsetSet($offset, $value) {
+		$this->set($offset, $value);
+	}
+
+	/**
+	 * @param mixed $offset
+	 */
+	public function offsetUnset($offset) {
+		$this->remove($offset);
+	}
+
+	/**
+	 * Close the session and release the lock
+	 */
+	public function close() {
+		$this->sessionClosed = true;
+	}
+}