4 files changed, 67 insertions, 45 deletions
diff --git a/apps/files_external/controller/ajaxcontroller.php b/apps/files_external/controller/ajaxcontroller.php
index cb2de432286..c285cd34e70 100644
--- a/apps/files_external/controller/ajaxcontroller.php
+++ b/apps/files_external/controller/ajaxcontroller.php
@@ -25,19 +25,19 @@ namespace OCA\Files_External\Controller;
 use OCP\AppFramework\Controller;
 use OCP\IRequest;
 use OCP\AppFramework\Http\JSONResponse;
-use phpseclib\Crypt\RSA;
+use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 
 class AjaxController extends Controller {
-	public function __construct($appName, IRequest $request) {
+	/** @var RSA */
+	private $rsaMechanism;
+
+	public function __construct($appName, IRequest $request, RSA $rsaMechanism) {
 		parent::__construct($appName, $request);
+		$this->rsaMechanism = $rsaMechanism;
 	}
 
 	private function generateSshKeys() {
-		$rsa = new RSA();
-		$rsa->setPublicKeyFormat(RSA::PUBLIC_FORMAT_OPENSSH);
-		$rsa->setPassword(\OC::$server->getConfig()->getSystemValue('secret', ''));
-
-		$key = $rsa->createKey();
+		$key = $this->rsaMechanism->createKey();
 		// Replace the placeholder label with a more meaningful one
 		$key['publicKey'] = str_replace('phpseclib-generated-key', gethostname(), $key['publickey']);
 
diff --git a/apps/files_external/controller/globalstoragescontroller.php b/apps/files_external/controller/globalstoragescontroller.php
index 756a34fc5d4..7d97fdbb4f4 100644
--- a/apps/files_external/controller/globalstoragescontroller.php
+++ b/apps/files_external/controller/globalstoragescontroller.php
@@ -32,6 +32,7 @@ use \OCP\AppFramework\Http;
 use \OCA\Files_external\Service\GlobalStoragesService;
 use \OCA\Files_external\NotFoundException;
 use \OCA\Files_external\Lib\StorageConfig;
+use \OCA\Files_External\Service\BackendService;
 
 /**
  * Global storages controller
@@ -97,7 +98,7 @@ class GlobalStoragesController extends StoragesController {
 			return $newStorage;
 		}
 
-		$response = $this->validate($newStorage);
+		$response = $this->validate($newStorage, BackendService::PERMISSION_CREATE);
 		if (!empty($response)) {
 			return $response;
 		}
@@ -153,7 +154,7 @@ class GlobalStoragesController extends StoragesController {
 		}
 		$storage->setId($id);
 
-		$response = $this->validate($storage);
+		$response = $this->validate($storage, BackendService::PERMISSION_MODIFY);
 		if (!empty($response)) {
 			return $response;
 		}
@@ -178,4 +179,14 @@ class GlobalStoragesController extends StoragesController {
 
 	}
 
+	/**
+	 * Get the user type for this controller, used in validation
+	 *
+	 * @return string BackendService::USER_* constants
+	 */
+	protected function getUserType() {
+		return BackendService::USER_ADMIN;
+	}
+
+
 }
diff --git a/apps/files_external/controller/storagescontroller.php b/apps/files_external/controller/storagescontroller.php
index 613f22c0331..46202c8ba4a 100644
--- a/apps/files_external/controller/storagescontroller.php
+++ b/apps/files_external/controller/storagescontroller.php
@@ -36,6 +36,7 @@ use \OCA\Files_External\Lib\Backend\Backend;
 use \OCA\Files_External\Lib\Auth\AuthMechanism;
 use \OCP\Files\StorageNotAvailableException;
 use \OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
+use \OCA\Files_External\Service\BackendService;
 
 /**
  * Base class for storages controllers
@@ -124,10 +125,11 @@ abstract class StoragesController extends Controller {
 	 * Validate storage config
 	 *
 	 * @param StorageConfig $storage storage config
+	 * @param int $permissionCheck permission to check
 	 *
 	 * @return DataResponse|null returns response in case of validation error
 	 */
-	protected function validate(StorageConfig $storage) {
+	protected function validate(StorageConfig $storage, $permissionCheck = BackendService::PERMISSION_CREATE) {
 		$mountPoint = $storage->getMountPoint();
 		if ($mountPoint === '' || $mountPoint === '/') {
 			return new DataResponse(
@@ -157,12 +159,36 @@ abstract class StoragesController extends Controller {
 			return new DataResponse(
 				array(
 					'message' => (string)$this->l10n->t('Invalid storage backend "%s"', [
-						$storage->getBackend()->getIdentifier()
+						$backend->getIdentifier()
 					])
 				),
 				Http::STATUS_UNPROCESSABLE_ENTITY
 			);
 		}
+
+		if (!$backend->isPermitted($this->getUserType(), $permissionCheck)) {
+			// not permitted to use backend
+			return new DataResponse(
+				array(
+					'message' => (string)$this->l10n->t('Not permitted to use backend "%s"', [
+						$backend->getIdentifier()
+					])
+				),
+				Http::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+		if (!$authMechanism->isPermitted($this->getUserType(), $permissionCheck)) {
+			// not permitted to use auth mechanism
+			return new DataResponse(
+				array(
+					'message' => (string)$this->l10n->t('Not permitted to use authentication mechanism "%s"', [
+						$authMechanism->getIdentifier()
+					])
+				),
+				Http::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+
 		if (!$backend->validateStorage($storage)) {
 			// unsatisfied parameters
 			return new DataResponse(
@@ -186,6 +212,13 @@ abstract class StoragesController extends Controller {
 	}
 
 	/**
+	 * Get the user type for this controller, used in validation
+	 *
+	 * @return string BackendService::USER_* constants
+	 */
+	abstract protected function getUserType();
+
+	/**
 	 * Check whether the given storage is available / valid.
 	 *
 	 * Note that this operation can be time consuming depending
diff --git a/apps/files_external/controller/userstoragescontroller.php b/apps/files_external/controller/userstoragescontroller.php
index 0d41e088a76..801c9ab0aae 100644
--- a/apps/files_external/controller/userstoragescontroller.php
+++ b/apps/files_external/controller/userstoragescontroller.php
@@ -62,38 +62,6 @@ class UserStoragesController extends StoragesController {
 	}
 
 	/**
-	 * Validate storage config
-	 *
-	 * @param StorageConfig $storage storage config
-	 *
-	 * @return DataResponse|null returns response in case of validation error
-	 */
-	protected function validate(StorageConfig $storage) {
-		$result = parent::validate($storage);
-
-		if ($result !== null) {
-			return $result;
-		}
-
-		// Verify that the mount point applies for the current user
-		// Prevent non-admin users from mounting local storage and other disabled backends
-		/** @var Backend */
-		$backend = $storage->getBackend();
-		if (!$backend->isVisibleFor(BackendService::VISIBILITY_PERSONAL)) {
-			return new DataResponse(
-				array(
-					'message' => (string)$this->l10n->t('Admin-only storage backend "%s"', [
-						$storage->getBackend()->getIdentifier()
-					])
-				),
-				Http::STATUS_UNPROCESSABLE_ENTITY
-			);
-		}
-
-		return null;
-	}
-
-	/**
 	 * Return storage
 	 *
 	 * @NoAdminRequired
@@ -135,7 +103,7 @@ class UserStoragesController extends StoragesController {
 			return $newStorage;
 		}
 
-		$response = $this->validate($newStorage);
+		$response = $this->validate($newStorage, BackendService::PERMISSION_CREATE);
 		if (!empty($response)) {
 			return $response;
 		}
@@ -183,7 +151,7 @@ class UserStoragesController extends StoragesController {
 		}
 		$storage->setId($id);
 
-		$response = $this->validate($storage);
+		$response = $this->validate($storage, BackendService::PERMISSION_MODIFY);
 		if (!empty($response)) {
 			return $response;
 		}
@@ -218,4 +186,14 @@ class UserStoragesController extends StoragesController {
 	public function destroy($id) {
 		return parent::destroy($id);
 	}
+
+	/**
+	 * Get the user type for this controller, used in validation
+	 *
+	 * @return string BackendService::USER_* constants
+	 */
+	protected function getUserType() {
+		return BackendService::USER_PERSONAL;
+	}
+
 }