From 0fdeefe47c82b18eb6adf1bd66ec2471b4d76c25 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 11 Aug 2016 09:45:15 +0200
Subject: Add ProvisioningAPI middleware

The provisioning API has 3 access levels:

* Admin
* SubAdmin
* User

This middleware adds a check for the SubAdmin part.
---
 apps/provisioning_api/lib/AppInfo/Application.php  | 28 ++++++++++
 .../Middleware/Exceptions/NotSubAdminException.php | 11 ++++
 .../lib/Middleware/ProvisioningApiMiddleware.php   | 64 ++++++++++++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 apps/provisioning_api/lib/AppInfo/Application.php
 create mode 100644 apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php
 create mode 100644 apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php

diff --git a/apps/provisioning_api/lib/AppInfo/Application.php b/apps/provisioning_api/lib/AppInfo/Application.php
new file mode 100644
index 00000000000..2d6a82e2ff9
--- /dev/null
+++ b/apps/provisioning_api/lib/AppInfo/Application.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace OCA\Provisioning_API\AppInfo;
+
+use OC\AppFramework\Utility\SimpleContainer;
+use OCA\Provisioning_API\Middleware\ProvisioningApiMiddleware;
+use OCP\AppFramework\App;
+
+class Application extends App {
+	public function __construct(array $urlParams = array()) {
+		parent::__construct('provisioning_api', $urlParams);
+
+		$container = $this->getContainer();
+		$server = $container->getServer();
+
+		$container->registerService('ProvisioningApiMiddleware', function(SimpleContainer $c) use ($server) {
+			$user = $server->getUserManager()->get($c['UserId']);
+			$isAdmin = $user !== null ? $server->getGroupManager()->isAdmin($user->getUID()) : false;
+			$isSubAdmin = $user !== null ? $server->getGroupManager()->getSubAdmin()->isSubAdmin($user) : false;
+			return new ProvisioningApiMiddleware(
+				$c['ControllerMethodReflector'],
+				$isAdmin,
+				$isSubAdmin
+			);
+		});
+		$container->registerMiddleWare('ProvisioningApiMiddleware');
+	}
+}
diff --git a/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php
new file mode 100644
index 00000000000..007ea04db46
--- /dev/null
+++ b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace OCA\Provisioning_API\Middleware\Exceptions;
+
+use OCP\AppFramework\Http;
+
+class NotSubAdminException extends \Exception {
+	public function __construct() {
+		parent::__construct('Logged in user must be at least a sub admin', Http::STATUS_FORBIDDEN);
+	}
+}
\ No newline at end of file
diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
new file mode 100644
index 00000000000..d9afe596027
--- /dev/null
+++ b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace OCA\Provisioning_API\Middleware;
+
+use OCA\Provisioning_API\Middleware\Exceptions\NotSubAdminException;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+use OCP\AppFramework\OCS\OCSException;
+use OCP\AppFramework\Utility\IControllerMethodReflector;
+
+class ProvisioningApiMiddleware extends Middleware {
+
+	/** @var IControllerMethodReflector */
+	private $reflector;
+
+	/** @var bool */
+	private $isAdmin;
+
+	/** @var bool */
+	private $isSubAdmin;
+
+	/**
+	 * ProvisioningApiMiddleware constructor.
+	 *
+	 * @param IControllerMethodReflector $reflector
+	 * @param bool $isAdmin
+	 * @param bool $isSubAdmin
+	 */
+	public function __construct(
+		IControllerMethodReflector $reflector,
+		$isAdmin,
+		$isSubAdmin) {
+		$this->reflector = $reflector;
+		$this->isAdmin = $isAdmin;
+		$this->isSubAdmin = $isSubAdmin;
+	}
+
+	/**
+	 * @param \OCP\AppFramework\Controller $controller
+	 * @param string $methodName
+	 *
+	 * @throws NotSubAdminException
+	 */
+	public function beforeController($controller, $methodName) {
+		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) {
+			throw new NotSubAdminException();
+		}
+	}
+
+	/**
+	 * @param \OCP\AppFramework\Controller $controller
+	 * @param string $methodName
+	 * @param \Exception $exception
+	 * @throws \Exception
+	 * @return Response
+	 */
+	public function afterException($controller, $methodName, \Exception $exception) {
+		if ($exception instanceof NotSubAdminException) {
+			throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED);
+		}
+
+		throw $exception;
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3