refactor(Token): introduce scope constants

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

apps/settings/lib/Controller/AuthSettingsController.php

@@ -241,8 +241,8 @@ public function update($id, array $scope, string $name) {
 		$currentName = $token->getName();
 
 		if ($scope !== $token->getScopeAsArray()) {
-			$token->setScope(['filesystem' => $scope['filesystem']]);
-			$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
+			$token->setScope([IToken::SCOPE_FILESYSTEM => $scope[IToken::SCOPE_FILESYSTEM]]);
+			$this->publishActivity($scope[IToken::SCOPE_FILESYSTEM] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
 		}
 
 		if (mb_strlen($name) > 128) {

apps/settings/tests/Controller/AuthSettingsControllerTest.php

@@ -267,7 +267,7 @@ public function testUpdateRename(string $name, string $newName): void {
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => true]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => true]);
 
 		$token->expects($this->once())
 			->method('setName')
@@ -277,7 +277,7 @@ public function testUpdateRename(string $name, string $newName): void {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], $newName));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], $newName));
 	}
 
 	public function dataUpdateFilesystemScope(): array {
@@ -310,17 +310,17 @@ public function testUpdateFilesystemScope(bool $filesystem, bool $newFilesystem)
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => $filesystem]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => $filesystem]);
 
 		$token->expects($this->once())
 			->method('setScope')
-			->with($this->equalTo(['filesystem' => $newFilesystem]));
+			->with($this->equalTo([IToken::SCOPE_FILESYSTEM => $newFilesystem]));
 
 		$this->tokenProvider->expects($this->once())
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => $newFilesystem], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => $newFilesystem], 'App password'));
 	}
 
 	public function testUpdateNoChange(): void {
@@ -339,7 +339,7 @@ public function testUpdateNoChange(): void {
 
 		$token->expects($this->once())
 			->method('getScopeAsArray')
-			->willReturn(['filesystem' => true]);
+			->willReturn([IToken::SCOPE_FILESYSTEM => true]);
 
 		$token->expects($this->never())
 			->method('setName');
@@ -351,7 +351,7 @@ public function testUpdateNoChange(): void {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password'));
 	}
 
 	public function testUpdateExpired() {
@@ -371,7 +371,7 @@ public function testUpdateExpired() {
 			->method('updateToken')
 			->with($this->equalTo($token));
 
-		$this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password'));
+		$this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password'));
 	}
 
 	public function testUpdateTokenWrongUser() {
@@ -389,7 +389,7 @@ public function testUpdateTokenWrongUser() {
 		$this->tokenProvider->expects($this->never())
 			->method('updateToken');
 
-		$response = $this->controller->update($tokenId, ['filesystem' => true], 'App password');
+		$response = $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password');
 		$this->assertSame([], $response->getData());
 		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
 	}
@@ -403,7 +403,7 @@ public function testUpdateTokenNonExisting() {
 		$this->tokenProvider->expects($this->never())
 			->method('updateToken');
 
-		$response = $this->controller->update(42, ['filesystem' => true], 'App password');
+		$response = $this->controller->update(42, [IToken::SCOPE_FILESYSTEM => true], 'App password');
 		$this->assertSame([], $response->getData());
 		$this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
 	}

apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php

@@ -30,6 +30,7 @@
 use OCA\Settings\Settings\Personal\Security\Authtokens;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\IUserSession;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -108,7 +109,7 @@ public function testGetForm() {
 							'type' => 0,
 							'canDelete' => false,
 							'current' => true,
-							'scope' => ['filesystem' => true],
+							'scope' => [IToken::SCOPE_FILESYSTEM => true],
 							'canRename' => false,
 						],
 						[
@@ -117,7 +118,7 @@ public function testGetForm() {
 							'lastActivity' => 0,
 							'type' => 0,
 							'canDelete' => true,
-							'scope' => ['filesystem' => true],
+							'scope' => [IToken::SCOPE_FILESYSTEM => true],
 							'canRename' => true,
 						],
 					]

lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

@@ -15,6 +15,7 @@
 use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Session\Exceptions\SessionNotAvailableException;
@@ -85,7 +86,7 @@ public function beforeController($controller, $methodName) {
 				return;
 			}
 			$scope = $token->getScopeAsArray();
-			if (isset($scope['sso-based-login']) && $scope['sso-based-login'] === true) {
+			if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
 				// Users logging in from SSO backends cannot confirm their password by design
 				return;
 			}

lib/private/Authentication/Token/PublicKeyToken.php

@@ -9,6 +9,7 @@
 namespace OC\Authentication\Token;
 
 use OCP\AppFramework\Db\Entity;
+use OCP\Authentication\Token\IToken;
 
 /**
  * @method void setId(int $id)
@@ -162,7 +163,7 @@ public function getScopeAsArray(): array {
 		$scope = json_decode($this->getScope(), true);
 		if (!$scope) {
 			return [
-				'filesystem' => true
+				IToken::SCOPE_FILESYSTEM => true
 			];
 		}
 		return $scope;

lib/private/Lockdown/LockdownManager.php

@@ -5,7 +5,7 @@
  */
 namespace OC\Lockdown;
 
-use OC\Authentication\Token\IToken;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use OCP\Lockdown\ILockdownManager;
 
@@ -60,6 +60,6 @@ public function setToken(IToken $token) {
 
 	public function canAccessFilesystem() {
 		$scope = $this->getScopeAsArray();
-		return !$scope || $scope['filesystem'];
+		return !$scope || $scope[IToken::SCOPE_FILESYSTEM];
 	}
 }

lib/private/Template/JSConfigHelper.php

@@ -16,6 +16,7 @@
 use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\Constants;
 use OCP\Defaults;
 use OCP\Files\FileInfo;
@@ -286,6 +287,6 @@ protected function canUserValidatePassword(): bool {
 			return true;
 		}
 		$scope = $token->getScopeAsArray();
-		return !isset($scope['sso-based-login']) || $scope['sso-based-login'] === false;
+		return !isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) || $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === false;
 	}
 }

lib/private/legacy/OC_User.php

@@ -7,6 +7,7 @@
  */
 use OC\Authentication\Token\IProvider;
 use OC\User\LoginException;
+use OCP\Authentication\Token\IToken;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IGroupManager;
 use OCP\ISession;
@@ -171,7 +172,7 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 				if (empty($password)) {
 					$tokenProvider = \OC::$server->get(IProvider::class);
 					$token = $tokenProvider->getToken($userSession->getSession()->getId());
-					$token->setScope(['sso-based-login' => true]);
+					$token->setScope([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]);
 					$tokenProvider->updateToken($token);
 				}
 

lib/public/Authentication/Token/IToken.php

@@ -34,6 +34,15 @@ interface IToken extends JsonSerializable {
 	 */
 	public const REMEMBER = 1;
 
+	/**
+	 * @since 30.0.0
+	 */
+	public const SCOPE_FILESYSTEM = 'filesystem';
+	/**
+	 * @since 30.0.0
+	 */
+	public const SCOPE_SKIP_PASSWORD_VALIDATION = 'password-unconfirmable';
+
 	/**
 	 * Get the token ID
 	 * @since 28.0.0

tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php

@@ -181,7 +181,7 @@ public function testSSO() {
 
 		$token = $this->createMock(IToken::class);
 		$token->method('getScopeAsArray')
-			->willReturn(['sso-based-login' => true]);
+			->willReturn([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]);
 		$this->tokenProvider->expects($this->once())
 			->method('getToken')
 			->with($sessionId)

tests/lib/Authentication/Token/PublicKeyTokenTest.php

@@ -9,19 +9,20 @@
 namespace Test\Authentication\Token;
 
 use OC\Authentication\Token\PublicKeyToken;
+use OCP\Authentication\Token\IToken;
 use Test\TestCase;
 
 class PublicKeyTokenTest extends TestCase {
 	public function testSetScopeAsArray() {
-		$scope = ['filesystem' => false];
+		$scope = [IToken::SCOPE_FILESYSTEM => false];
 		$token = new PublicKeyToken();
 		$token->setScope($scope);
 		$this->assertEquals(json_encode($scope), $token->getScope());
 		$this->assertEquals($scope, $token->getScopeAsArray());
 	}
 
 	public function testDefaultScope() {
-		$scope = ['filesystem' => true];
+		$scope = [IToken::SCOPE_FILESYSTEM => true];
 		$token = new PublicKeyToken();
 		$this->assertEquals($scope, $token->getScopeAsArray());
 	}

tests/lib/Lockdown/Filesystem/NoFSTest.php

@@ -9,6 +9,7 @@
 use OC\Authentication\Token\PublicKeyToken;
 use OC\Files\Filesystem;
 use OC\Lockdown\Filesystem\NullStorage;
+use OCP\Authentication\Token\IToken;
 use Test\Traits\UserTrait;
 
 /**
@@ -20,7 +21,7 @@ class NoFSTest extends \Test\TestCase {
 	protected function tearDown(): void {
 		$token = new PublicKeyToken();
 		$token->setScope([
-			'filesystem' => true
+			IToken::SCOPE_FILESYSTEM => true
 		]);
 		\OC::$server->get('LockdownManager')->setToken($token);
 		parent::tearDown();
@@ -30,7 +31,7 @@ protected function setUp(): void {
 		parent::setUp();
 		$token = new PublicKeyToken();
 		$token->setScope([
-			'filesystem' => false
+			IToken::SCOPE_FILESYSTEM => false
 		]);
 
 		\OC::$server->get('LockdownManager')->setToken($token);

tests/lib/Lockdown/LockdownManagerTest.php

@@ -8,6 +8,7 @@
 
 use OC\Authentication\Token\PublicKeyToken;
 use OC\Lockdown\LockdownManager;
+use OCP\Authentication\Token\IToken;
 use OCP\ISession;
 use Test\TestCase;
 
@@ -29,15 +30,15 @@ public function testCanAccessFilesystemDisabled() {
 
 	public function testCanAccessFilesystemAllowed() {
 		$token = new PublicKeyToken();
-		$token->setScope(['filesystem' => true]);
+		$token->setScope([IToken::SCOPE_FILESYSTEM => true]);
 		$manager = new LockdownManager($this->sessionCallback);
 		$manager->setToken($token);
 		$this->assertTrue($manager->canAccessFilesystem());
 	}
 
 	public function testCanAccessFilesystemNotAllowed() {
 		$token = new PublicKeyToken();
-		$token->setScope(['filesystem' => false]);
+		$token->setScope([IToken::SCOPE_FILESYSTEM => false]);
 		$manager = new LockdownManager($this->sessionCallback);
 		$manager->setToken($token);
 		$this->assertFalse($manager->canAccessFilesystem());