diff options
Diffstat (limited to 'lib/private/Lockdown')
| -rw-r--r-- | lib/private/Lockdown/Filesystem/NullCache.php | 127 | ||||
| -rw-r--r-- | lib/private/Lockdown/Filesystem/NullStorage.php | 167 | ||||
| -rw-r--r-- | lib/private/Lockdown/LockdownManager.php | 66 |
3 files changed, 360 insertions, 0 deletions
diff --git a/lib/private/Lockdown/Filesystem/NullCache.php b/lib/private/Lockdown/Filesystem/NullCache.php new file mode 100644 index 00000000000..5a27c5d5c6e --- /dev/null +++ b/lib/private/Lockdown/Filesystem/NullCache.php @@ -0,0 +1,127 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OC\Lockdown\Filesystem; + +use OC\Files\Cache\CacheEntry; +use OC\Files\Search\SearchComparison; +use OCP\Constants; +use OCP\Files\Cache\ICache; +use OCP\Files\Cache\ICacheEntry; +use OCP\Files\FileInfo; +use OCP\Files\Search\ISearchComparison; +use OCP\Files\Search\ISearchOperator; +use OCP\Files\Search\ISearchQuery; + +class NullCache implements ICache { + public function getNumericStorageId() { + return -1; + } + + public function get($file) { + if ($file !== '') { + return false; + } + + return new CacheEntry([ + 'fileid' => -1, + 'parent' => -1, + 'name' => '', + 'path' => '', + 'size' => '0', + 'mtime' => time(), + 'storage_mtime' => time(), + 'etag' => '', + 'mimetype' => FileInfo::MIMETYPE_FOLDER, + 'mimepart' => 'httpd', + 'permissions' => Constants::PERMISSION_READ + ]); + } + + public function getFolderContents($folder) { + return []; + } + + public function getFolderContentsById($fileId) { + return []; + } + + public function put($file, array $data) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function insert($file, array $data) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function update($id, array $data) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function getId($file) { + return -1; + } + + public function getParentId($file) { + return -1; + } + + public function inCache($file) { + return $file === ''; + } + + public function remove($file) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function move($source, $target) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function moveFromCache(ICache $sourceCache, $sourcePath, $targetPath) { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function getStatus($file) { + return ICache::COMPLETE; + } + + public function search($pattern) { + return []; + } + + public function searchByMime($mimetype) { + return []; + } + + public function searchQuery(ISearchQuery $query) { + return []; + } + + public function getIncomplete() { + return []; + } + + public function getPathById($id) { + return ''; + } + + public function normalize($path) { + return $path; + } + + public function copyFromCache(ICache $sourceCache, ICacheEntry $sourceEntry, string $targetPath): int { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function getQueryFilterForStorage(): ISearchOperator { + return new SearchComparison(ISearchComparison::COMPARE_EQUAL, 'storage', -1); + } + + public function getCacheEntryFromSearchResult(ICacheEntry $rawEntry): ?ICacheEntry { + return null; + } +} diff --git a/lib/private/Lockdown/Filesystem/NullStorage.php b/lib/private/Lockdown/Filesystem/NullStorage.php new file mode 100644 index 00000000000..fd952fae637 --- /dev/null +++ b/lib/private/Lockdown/Filesystem/NullStorage.php @@ -0,0 +1,167 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OC\Lockdown\Filesystem; + +use Icewind\Streams\IteratorDirectory; +use OC\Files\FileInfo; +use OC\Files\Storage\Common; +use OCP\Files\Cache\ICache; +use OCP\Files\Storage\IStorage; + +class NullStorage extends Common { + public function __construct(array $parameters) { + parent::__construct($parameters); + } + + public function getId(): string { + return 'null'; + } + + public function mkdir(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function rmdir(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function opendir(string $path): IteratorDirectory { + return new IteratorDirectory(); + } + + public function is_dir(string $path): bool { + return $path === ''; + } + + public function is_file(string $path): bool { + return false; + } + + public function stat(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function filetype(string $path): string|false { + return ($path === '') ? 'dir' : false; + } + + public function filesize(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function isCreatable(string $path): bool { + return false; + } + + public function isReadable(string $path): bool { + return $path === ''; + } + + public function isUpdatable(string $path): bool { + return false; + } + + public function isDeletable(string $path): bool { + return false; + } + + public function isSharable(string $path): bool { + return false; + } + + public function getPermissions(string $path): int { + return 0; + } + + public function file_exists(string $path): bool { + return $path === ''; + } + + public function filemtime(string $path): int|false { + return ($path === '') ? time() : false; + } + + public function file_get_contents(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function file_put_contents(string $path, mixed $data): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function unlink(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function rename(string $source, string $target): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function copy(string $source, string $target): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function fopen(string $path, string $mode): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function getMimeType(string $path): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function hash(string $type, string $path, bool $raw = false): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function free_space(string $path): int { + return FileInfo::SPACE_UNKNOWN; + } + + public function touch(string $path, ?int $mtime = null): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function getLocalFile(string $path): string|false { + return false; + } + + public function hasUpdated(string $path, int $time): bool { + return false; + } + + public function getETag(string $path): string { + return ''; + } + + public function isLocal(): bool { + return false; + } + + public function getDirectDownload(string $path): array|false { + return false; + } + + public function copyFromStorage(IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath, bool $preserveMtime = false): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function moveFromStorage(IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath): never { + throw new \OC\ForbiddenException('This request is not allowed to access the filesystem'); + } + + public function test(): bool { + return true; + } + + public function getOwner(string $path): string|false { + return false; + } + + public function getCache(string $path = '', ?IStorage $storage = null): ICache { + return new NullCache(); + } +} diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php new file mode 100644 index 00000000000..4f351812bad --- /dev/null +++ b/lib/private/Lockdown/LockdownManager.php @@ -0,0 +1,66 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OC\Lockdown; + +use OCP\Authentication\Token\IToken; +use OCP\ISession; +use OCP\Lockdown\ILockdownManager; + +class LockdownManager implements ILockdownManager { + /** @var ISession */ + private $sessionCallback; + + private $enabled = false; + + /** @var array|null */ + private $scope; + + /** + * LockdownManager constructor. + * + * @param callable $sessionCallback we need to inject the session lazily to avoid dependency loops + */ + public function __construct(callable $sessionCallback) { + $this->sessionCallback = $sessionCallback; + } + + + public function enable() { + $this->enabled = true; + } + + /** + * @return ISession + */ + private function getSession() { + $callback = $this->sessionCallback; + return $callback(); + } + + private function getScopeAsArray() { + if (!$this->scope) { + $session = $this->getSession(); + $sessionScope = $session->get('token_scope'); + if ($sessionScope) { + $this->scope = $sessionScope; + } + } + return $this->scope; + } + + public function setToken(IToken $token) { + $this->scope = $token->getScopeAsArray(); + $session = $this->getSession(); + $session->set('token_scope', $this->scope); + $this->enable(); + } + + public function canAccessFilesystem() { + $scope = $this->getScopeAsArray(); + return !$scope || $scope[IToken::SCOPE_FILESYSTEM]; + } +} |