validate reshare attributes based on supershare

mrow4a · mrow4a · commit 547362d8bc3a · 2019-11-12T19:15:57.000+01:00
diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
@@ -311,7 +311,7 @@ protected function validatePermissions(IShare $share) {
 		 *       and this check should be done in Share object's setPermission method
 		 */
 		if ($share->getPermissions() < 0 || $share->getPermissions() > \OCP\Constants::PERMISSION_ALL) {
-			$message_t = $this->l->t('invalid permissionss');
+			$message_t = $this->l->t('Invalid permissions');
 			throw new GenericShareException($message_t, $message_t, 404);
 		}
 
@@ -323,6 +323,9 @@ protected function validatePermissions(IShare $share) {
 		/* Use share node permission as default $maxPermissions */
 		$maxPermissions = $shareNode->getPermissions();
 
+		/* Attributes default is null, as attributes are restricted only in reshare */
+		$maxAttributes = null;
+
 		/*
 		 * Quick fix for #23536
 		 * Non moveable mount points do not have update and delete permissions
@@ -345,21 +348,28 @@ protected function validatePermissions(IShare $share) {
 			if ($shareFileNode) {
 				$shareFileStorage = $shareFileNode->getStorage();
 				if ($shareFileStorage->instanceOfStorage('OCA\Files_Sharing\External\Storage')) {
-					// if $shareFileNode is an incoming federated share, use node permission directly
+					// if $shareFileNode is an incoming federated share, use share node permission directly
 					$maxPermissions = $shareNode->getPermissions();
 				} elseif ($shareFileStorage->instanceOfStorage('OCA\Files_Sharing\SharedStorage')) {
 					// if $shareFileNode is user/group share, use supershare permissions
 					/** @var \OCA\Files_Sharing\SharedStorage $shareFileStorage */
 					'@phan-var \OCA\Files_Sharing\SharedStorage $shareFileStorage';
 					$parentShare = $shareFileStorage->getShare();
 					$maxPermissions = $parentShare->getPermissions();
+					$maxAttributes = $parentShare->getAttributes();
 				}
 			}
 		}
 
 		/* Check that we do not share with more permissions than we have */
 		if (!$this->strictSubsetOfPermissions($maxPermissions, $share->getPermissions())) {
-			$message_t = $this->l->t('Cannot increase permissions of %s', [$share->getNode()->getPath()]);
+			$message_t = $this->l->t('Cannot set the requested share permissions for %s', [$share->getNode()->getName()]);
+			throw new GenericShareException($message_t, $message_t, 404);
+		}
+
+		/* Check that we do not share with more attributes than we have */
+		if ($maxAttributes !== null && !$this->strictSubsetOfAttributes($maxAttributes, $share->getAttributes())) {
+			$message_t = $this->l->t('Cannot set the requested share attributes for %s', [$share->getNode()->getName()]);
 			throw new GenericShareException($message_t, $message_t, 404);
 		}
 	}
@@ -1668,4 +1678,37 @@ private function isNewShare(IShare $share) {
 	private function strictSubsetOfPermissions($allowedPermissions, $newPermissions) {
 		return (($allowedPermissions | $newPermissions) === $allowedPermissions);
 	}
+
+	/**
+	 * Check $newAttributes attribute is a subset of $allowedAttributes
+	 *
+	 * @param IAttributes $allowedAttributes
+	 * @param IAttributes $newAttributes
+	 * @return boolean ,true if $allowedAttributes enabled is super set of $newAttributes enabled, else false
+	 */
+	private function strictSubsetOfAttributes($allowedAttributes, $newAttributes) {
+		// if both are empty, it is strict subset
+		if ((!$allowedAttributes || empty($allowedAttributes->toArray()))
+			&& (!$newAttributes || empty($newAttributes->toArray()))) {
+			return true;
+		}
+
+		// make sure that number of attributes is the same
+		if (\count($allowedAttributes->toArray()) !== \count($newAttributes->toArray())) {
+			return false;
+		}
+
+		// if number of attributes is the same, make sure that attributes are
+		// existing in allowed set and are not being disabled
+		foreach ($newAttributes->toArray() as $newAttribute) {
+			$allowedEnabled = $allowedAttributes->getAttribute($newAttribute['scope'], $newAttribute['key']);
+			if (($newAttribute['enabled'] === true && $allowedEnabled === false)
+				|| ($newAttribute['enabled'] === null && $allowedEnabled !== null)
+				|| $allowedEnabled === null) {
+				return false;
+			}
+		}
+
+		return true;
+	}
 }
diff --git a/tests/lib/Share20/ManagerTest.php b/tests/lib/Share20/ManagerTest.php
@@ -22,6 +22,7 @@
 
 use OC\Files\View;
 use OC\Share20\Manager;
+use OC\Share20\ShareAttributes;
 use OCP\Files\File;
 use OC\Share20\Share;
 use OCP\DB\QueryBuilder\IExpressionBuilder;
@@ -39,9 +40,11 @@
 use OCP\ILogger;
 use OCP\IUser;
 use OCP\IUserManager;
+use OCP\IUserSession;
 use OCP\Security\IHasher;
 use OCP\Security\ISecureRandom;
 use OCP\Share\Exceptions\ShareNotFound;
+use OCP\Share\IAttributes;
 use OCP\Share\IProviderFactory;
 use OCP\Share\IShare;
 use OCP\Share\IShareProvider;
@@ -88,6 +91,8 @@ class ManagerTest extends \Test\TestCase {
 	protected $view;
 	/** @var IDBConnection | \PHPUnit\Framework\MockObject\MockObject */
 	protected $connection;
+	/** @var IUserSession | \PHPUnit\Framework\MockObject\MockObject */
+	protected $userSession;
 
 	public function setUp() {
 		parent::setUp();
@@ -103,6 +108,7 @@ public function setUp() {
 		$this->eventDispatcher = new EventDispatcher();
 		$this->view = $this->createMock(View::class);
 		$this->connection = $this->createMock(IDBConnection::class);
+		$this->userSession = $this->createMock(IUserSession::class);
 
 		$this->l = $this->createMock('\OCP\IL10N');
 		$this->l->method('t')
@@ -125,7 +131,8 @@ public function setUp() {
 			$this->rootFolder,
 			$this->eventDispatcher,
 			$this->view,
-			$this->connection
+			$this->connection,
+			$this->userSession
 		);
 
 		$this->defaultProvider = $this->getMockBuilder('\OC\Share20\DefaultShareProvider')
@@ -819,26 +826,18 @@ public function dataGeneralChecks() {
 		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_GROUP, $rootFolder, $group0, $user0, $user0, 2, null, null), 'You can\'t share your root folder', true];
 		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_LINK, $rootFolder, null, $user0, $user0, 16, null, null), 'You can\'t share your root folder', true];
 
-		/**
-		 * Basic share (not re-share) with enough permission inputs
-		 */
-		$ownerUser = $this->createMock(IUser::class);
-		$ownerUser->method('getUID')->willReturn('user1');
 		$fileFullPermission = $this->createMock(File::class);
 		$fileFullPermission->method('getPermissions')->willReturn(31);
-		$fileFullPermission->method('getOwner')->willReturn($ownerUser);
 		$fileFullPermission->method('isShareable')->willReturn(true);
+
 		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileFullPermission, $user0, $user1, $user1, null, null, null), 'A share requires permissions', true];
 
-		/**
-		 * Normal share (not re-share) with not enough permission input
-		 */
-		$fileLessPermission = $this->createMock(File::class);
-		$fileLessPermission->method('getPermissions')->willReturn(1);
-		$fileLessPermission->method('getOwner')->willReturn($ownerUser);
-		$fileLessPermission->method('isShareable')->willReturn(true);
-		$fileLessPermission->method('getPath')->willReturn('/user1/sharedfile');
-		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileLessPermission, $user0, $user1, $user1, 17, null, null), 'Cannot increase permissions of /user1/sharedfile', true];
+		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileFullPermission, $user0, $user1, $user1, -1, null, null), 'Invalid permissions', true];
+		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileFullPermission, $user0, $user1, $user1, 100, null, null), 'Invalid permissions', true];
+
+		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileFullPermission, $user0, $user1, $user1, 0, null, null), 'Cannot remove all permissions', true];
+
+		$data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $fileFullPermission, $user0, $user1, $user1, 31, null, null), null, false];
 
 		return $data;
 	}
@@ -880,11 +879,120 @@ public function testGeneralChecks($share, $exceptionMessage, $exception) {
 		$this->assertSame($exception, $thrown);
 	}
 
+	public function dataShareNotEnoughPermissions() {
+		$file = $this->createMock(File::class);
+		$file->method('getPermissions')->willReturn(17);
+		$file->method('getName')->willReturn('sharedfile');
+		$file->method('getPath')->willReturn('/user1/sharedfile');
+
+		// Normal share (not re-share) should just use share node permission
+		// exception when trying to share with more permission than share has
+		$share = $this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $file, 'user0', 'user1', 'user1', 31, null, null);
+		$data[] = [$share, null, 'Cannot set the requested share permissions for sharedfile', true];
+
+		// Federated reshare should just use share node permission
+		// exception when trying to share with more permission than node has
+		$fileExternalStorage = $this->createMock('OCA\Files_Sharing\External\Storage');
+		$fileExternalStorage->method('instanceOfStorage')
+			->willReturnCallback(function ($storageClass) {
+				return ($storageClass === 'OCA\Files_Sharing\External\Storage');
+			});
+		$fileExternal = $this->createMock(File::class);
+		$fileExternal->method('getStorage')->willReturn($fileExternalStorage);
+		$share = $this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $file, 'user0', 'user1', 'user2', 31, null, null);
+		$data[] = [$share, $fileExternal, 'Cannot set the requested share permissions for sharedfile', true];
+
+		// Normal reshare should just use supershare node permission
+		// exception when trying to share with more permission than supershare has
+		$superShare = $this->createMock(IShare::class);
+		$superShare->method('getPermissions')->willReturn(1);
+		$fileReshareStorage = $this->createMock('OCA\Files_Sharing\SharedStorage');
+		$fileReshareStorage->method('instanceOfStorage')
+			->willReturnCallback(function ($storageClass) {
+				return ($storageClass === 'OCA\Files_Sharing\SharedStorage');
+			});
+		$fileReshareStorage->method('getShare')->willReturn($superShare);
+		$fileReshare = $this->createMock(File::class);
+		$fileReshare->method('getStorage')->willReturn($fileReshareStorage);
+		$share = $this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $file, 'user0', 'user1', 'user2', 17, null, null);
+		$data[] = [$share, $fileReshare, 'Cannot set the requested share permissions for sharedfile', true];
+
+		// Normal reshare should just use supershare node attributes
+		// exception when trying to share with more attributes than supershare has
+		$superShareAttributes = new ShareAttributes();
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test', true);
+		$superShare = $this->createMock(IShare::class);
+		$superShare->method('getPermissions')->willReturn(17);
+		$superShare->method('getAttributes')->willReturn($superShareAttributes);
+		$fileReshareStorage = $this->createMock('OCA\Files_Sharing\SharedStorage');
+		$fileReshareStorage->method('instanceOfStorage')
+			->willReturnCallback(function ($storageClass) {
+				return ($storageClass === 'OCA\Files_Sharing\SharedStorage');
+			});
+		$fileReshareStorage->method('getShare')->willReturn($superShare);
+		$fileReshare = $this->createMock(File::class);
+		$fileReshare->method('getStorage')->willReturn($fileReshareStorage);
+		$share = $this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $file, 'user0', 'user1', 'user2', 17, null, null, $shareAttributes);
+		$data[] = [$share, $fileReshare, 'Cannot set the requested share attributes for sharedfile', true];
+
+		return $data;
+	}
+
+	/**
+	 * @dataProvider dataShareNotEnoughPermissions
+	 *
+	 * @param $share
+	 * @param $superShareNode
+	 * @param $exceptionMessage
+	 * @param $exception
+	 */
+	public function testShareNotEnoughPermissions($share, $superShareNode, $exceptionMessage, $exception) {
+		$sharer = $this->createMock(IUser::class);
+		$sharer->method('getUID')->willReturn($share->getSharedBy());
+		$this->userSession->method('getUser')->willReturn($sharer);
+
+		$userFolder = $this->createMock(Folder::class);
+		$userFolder->method('getById')->willReturn([$superShareNode]);
+		$this->rootFolder->method('getUserFolder')->willReturn($userFolder);
+
+		try {
+			$this->invokePrivate($this->manager, 'validatePermissions', [$share]);
+			$thrown = false;
+		} catch (\OCP\Share\Exceptions\GenericShareException $e) {
+			$this->assertEquals($exceptionMessage, $e->getHint());
+			$thrown = true;
+		}
+
+		$this->assertSame($exception, $thrown);
+	}
+
+	/**
+	 * Non-movable mount share can be shared with delete and update permission
+	 * even if permission for file do not have this permission
+	 */
+	public function testShareNonMovableMountPermissions() {
+		$nonMovableMountPoint = $this->createMock(IMountPoint::class);
+		$file = $this->createMock(File::class);
+		$file->method('getPermissions')->willReturn(1);
+		$file->method('getMountPoint')->willReturn($nonMovableMountPoint);
+		$share = $this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $file, 'user0', 'user1', 'user1', 11, null, null);
+
+		try {
+			$this->invokePrivate($this->manager, 'validatePermissions', [$share]);
+			$thrown = false;
+		} catch (\Exception $e) {
+			$thrown = true;
+		}
+
+		$this->assertSame(false, $thrown);
+	}
+
 	/**
 	 * @expectedException \OCP\Share\Exceptions\GenericShareException
 	 * @expectedExceptionMessage Expiration date is in the past
 	 */
-	public function testvalidateExpirationDateInPast() {
+	public function testValidateExpirationDateInPast() {
 
 		// Expire date in the past
 		$past = new \DateTime();
@@ -3497,6 +3605,102 @@ public function testGetAllSharedWith() {
 		$this->assertSame($shares, [$share1, $share2]);
 	}
 
+	/**
+	 * @dataProvider strictSubsetOfAttributesDataProvider
+	 *
+	 * @param IAttributes $allowedAttributes
+	 * @param IAttributes $newAttributes
+	 * @param boolean $expected
+	 */
+	public function testStrictSubsetOfAttributes($allowedAttributes, $newAttributes, $expected) {
+		$this->assertEquals(
+			$expected,
+			$this->invokePrivate(
+				$this->manager,
+				'strictSubsetOfAttributes',
+				[$allowedAttributes, $newAttributes]
+			)
+		);
+	}
+
+	public function strictSubsetOfAttributesDataProvider() {
+		// no exception - supershare and share are equal
+		$superShareAttributes = new ShareAttributes();
+		$shareAttributes = new ShareAttributes();
+		$data[] = [$superShareAttributes,$shareAttributes, true];
+
+		// no exception - supershare and share are equal
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test', true);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test', true);
+		$data[] = [$superShareAttributes,$shareAttributes, true];
+
+		// no exception - disabling attribute that supershare has enabled
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test', true);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test', false);
+		$data[] = [$superShareAttributes,$shareAttributes, true];
+
+		// exception - adding an attribute while supershare has none
+		$superShareAttributes = new ShareAttributes();
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test', true);
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - enabling attribute that supershare has disabled
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test', false);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test', true);
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - removing attribute of that supershare has enabled
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test', true);
+		$shareAttributes = new ShareAttributes();
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - removing attribute of that supershare has disabled
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test', false);
+		$shareAttributes = new ShareAttributes();
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - removing one of attributes of supershare
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test1', false);
+		$superShareAttributes->setAttribute('test', 'test2', false);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test1', false);
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - disabling one of attributes of supershare
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test1', false);
+		$superShareAttributes->setAttribute('test', 'test2', false);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test1', false);
+		$shareAttributes->setAttribute('test', 'test2', true);
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		// exception - swaping one of attributes of supershare
+		$superShareAttributes = new ShareAttributes();
+		$superShareAttributes->setAttribute('test', 'test1', false);
+		$superShareAttributes->setAttribute('test', 'test01', false);
+		$superShareAttributes->setAttribute('test', 'test3', true);
+		$superShareAttributes->setAttribute('test', 'test4', null);
+		$shareAttributes = new ShareAttributes();
+		$shareAttributes->setAttribute('test', 'test1', false);
+		$shareAttributes->setAttribute('test', 'test10', false);
+		$superShareAttributes->setAttribute('test', 'test3', null);
+		$superShareAttributes->setAttribute('test', 'test4', true);
+		$data[] = [$superShareAttributes,$shareAttributes, false];
+
+		return $data;
+	}
+
 	/**
 	 * @dataProvider strictSubsetOfPermissionsDataProvider
 	 *
