diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 8a01c7c2468c7..8f8ceb7d9ca3f 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -241,8 +241,8 @@ public function update($id, array $scope, string $name) { $currentName = $token->getName(); if ($scope !== $token->getScopeAsArray()) { - $token->setScope(['filesystem' => $scope['filesystem']]); - $this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]); + $token->setScope([IToken::SCOPE_FILESYSTEM => $scope[IToken::SCOPE_FILESYSTEM]]); + $this->publishActivity($scope[IToken::SCOPE_FILESYSTEM] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]); } if (mb_strlen($name) > 128) { diff --git a/apps/settings/tests/Controller/AuthSettingsControllerTest.php b/apps/settings/tests/Controller/AuthSettingsControllerTest.php index b744b942e093b..747515898eae3 100644 --- a/apps/settings/tests/Controller/AuthSettingsControllerTest.php +++ b/apps/settings/tests/Controller/AuthSettingsControllerTest.php @@ -267,7 +267,7 @@ public function testUpdateRename(string $name, string $newName): void { $token->expects($this->once()) ->method('getScopeAsArray') - ->willReturn(['filesystem' => true]); + ->willReturn([IToken::SCOPE_FILESYSTEM => true]); $token->expects($this->once()) ->method('setName') @@ -277,7 +277,7 @@ public function testUpdateRename(string $name, string $newName): void { ->method('updateToken') ->with($this->equalTo($token)); - $this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], $newName)); + $this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], $newName)); } public function dataUpdateFilesystemScope(): array { @@ -310,17 +310,17 @@ public function testUpdateFilesystemScope(bool $filesystem, bool $newFilesystem) $token->expects($this->once()) ->method('getScopeAsArray') - ->willReturn(['filesystem' => $filesystem]); + ->willReturn([IToken::SCOPE_FILESYSTEM => $filesystem]); $token->expects($this->once()) ->method('setScope') - ->with($this->equalTo(['filesystem' => $newFilesystem])); + ->with($this->equalTo([IToken::SCOPE_FILESYSTEM => $newFilesystem])); $this->tokenProvider->expects($this->once()) ->method('updateToken') ->with($this->equalTo($token)); - $this->assertSame([], $this->controller->update($tokenId, ['filesystem' => $newFilesystem], 'App password')); + $this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => $newFilesystem], 'App password')); } public function testUpdateNoChange(): void { @@ -339,7 +339,7 @@ public function testUpdateNoChange(): void { $token->expects($this->once()) ->method('getScopeAsArray') - ->willReturn(['filesystem' => true]); + ->willReturn([IToken::SCOPE_FILESYSTEM => true]); $token->expects($this->never()) ->method('setName'); @@ -351,7 +351,7 @@ public function testUpdateNoChange(): void { ->method('updateToken') ->with($this->equalTo($token)); - $this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password')); + $this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password')); } public function testUpdateExpired() { @@ -371,7 +371,7 @@ public function testUpdateExpired() { ->method('updateToken') ->with($this->equalTo($token)); - $this->assertSame([], $this->controller->update($tokenId, ['filesystem' => true], 'App password')); + $this->assertSame([], $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password')); } public function testUpdateTokenWrongUser() { @@ -389,7 +389,7 @@ public function testUpdateTokenWrongUser() { $this->tokenProvider->expects($this->never()) ->method('updateToken'); - $response = $this->controller->update($tokenId, ['filesystem' => true], 'App password'); + $response = $this->controller->update($tokenId, [IToken::SCOPE_FILESYSTEM => true], 'App password'); $this->assertSame([], $response->getData()); $this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus()); } @@ -403,7 +403,7 @@ public function testUpdateTokenNonExisting() { $this->tokenProvider->expects($this->never()) ->method('updateToken'); - $response = $this->controller->update(42, ['filesystem' => true], 'App password'); + $response = $this->controller->update(42, [IToken::SCOPE_FILESYSTEM => true], 'App password'); $this->assertSame([], $response->getData()); $this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus()); } diff --git a/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php b/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php index 5ccec93655574..13d720c201e21 100644 --- a/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php +++ b/apps/settings/tests/Settings/Personal/Security/AuthtokensTest.php @@ -30,6 +30,7 @@ use OCA\Settings\Settings\Personal\Security\Authtokens; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; +use OCP\Authentication\Token\IToken; use OCP\ISession; use OCP\IUserSession; use PHPUnit\Framework\MockObject\MockObject; @@ -108,7 +109,7 @@ public function testGetForm() { 'type' => 0, 'canDelete' => false, 'current' => true, - 'scope' => ['filesystem' => true], + 'scope' => [IToken::SCOPE_FILESYSTEM => true], 'canRename' => false, ], [ @@ -117,7 +118,7 @@ public function testGetForm() { 'lastActivity' => 0, 'type' => 0, 'canDelete' => true, - 'scope' => ['filesystem' => true], + 'scope' => [IToken::SCOPE_FILESYSTEM => true], 'canRename' => true, ], ] diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php index 9fa4aedd40159..5ff9d7386da01 100644 --- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php @@ -15,6 +15,7 @@ use OCP\Authentication\Exceptions\ExpiredTokenException; use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Authentication\Exceptions\WipeTokenException; +use OCP\Authentication\Token\IToken; use OCP\ISession; use OCP\IUserSession; use OCP\Session\Exceptions\SessionNotAvailableException; @@ -85,7 +86,7 @@ public function beforeController($controller, $methodName) { return; } $scope = $token->getScopeAsArray(); - if (isset($scope['sso-based-login']) && $scope['sso-based-login'] === true) { + if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) { // Users logging in from SSO backends cannot confirm their password by design return; } diff --git a/lib/private/Authentication/Token/PublicKeyToken.php b/lib/private/Authentication/Token/PublicKeyToken.php index 0b7a2589f3e34..961b7191d84ae 100644 --- a/lib/private/Authentication/Token/PublicKeyToken.php +++ b/lib/private/Authentication/Token/PublicKeyToken.php @@ -9,6 +9,7 @@ namespace OC\Authentication\Token; use OCP\AppFramework\Db\Entity; +use OCP\Authentication\Token\IToken; /** * @method void setId(int $id) @@ -162,7 +163,7 @@ public function getScopeAsArray(): array { $scope = json_decode($this->getScope(), true); if (!$scope) { return [ - 'filesystem' => true + IToken::SCOPE_FILESYSTEM => true ]; } return $scope; diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php index 779b1ea2650ab..3b45709d5c96e 100644 --- a/lib/private/Lockdown/LockdownManager.php +++ b/lib/private/Lockdown/LockdownManager.php @@ -5,7 +5,7 @@ */ namespace OC\Lockdown; -use OC\Authentication\Token\IToken; +use OCP\Authentication\Token\IToken; use OCP\ISession; use OCP\Lockdown\ILockdownManager; @@ -60,6 +60,6 @@ public function setToken(IToken $token) { public function canAccessFilesystem() { $scope = $this->getScopeAsArray(); - return !$scope || $scope['filesystem']; + return !$scope || $scope[IToken::SCOPE_FILESYSTEM]; } } diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php index 5c38ae4cc7229..a41e99ae8c484 100644 --- a/lib/private/Template/JSConfigHelper.php +++ b/lib/private/Template/JSConfigHelper.php @@ -16,6 +16,7 @@ use OCP\Authentication\Exceptions\ExpiredTokenException; use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Authentication\Exceptions\WipeTokenException; +use OCP\Authentication\Token\IToken; use OCP\Constants; use OCP\Defaults; use OCP\Files\FileInfo; @@ -286,6 +287,6 @@ protected function canUserValidatePassword(): bool { return true; } $scope = $token->getScopeAsArray(); - return !isset($scope['sso-based-login']) || $scope['sso-based-login'] === false; + return !isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) || $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === false; } } diff --git a/lib/private/legacy/OC_User.php b/lib/private/legacy/OC_User.php index 66d28771ae1fa..f9f751f7b1454 100644 --- a/lib/private/legacy/OC_User.php +++ b/lib/private/legacy/OC_User.php @@ -7,6 +7,7 @@ */ use OC\Authentication\Token\IProvider; use OC\User\LoginException; +use OCP\Authentication\Token\IToken; use OCP\EventDispatcher\IEventDispatcher; use OCP\IGroupManager; use OCP\ISession; @@ -171,7 +172,7 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe if (empty($password)) { $tokenProvider = \OC::$server->get(IProvider::class); $token = $tokenProvider->getToken($userSession->getSession()->getId()); - $token->setScope(['sso-based-login' => true]); + $token->setScope([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]); $tokenProvider->updateToken($token); } diff --git a/lib/public/Authentication/Token/IToken.php b/lib/public/Authentication/Token/IToken.php index 4f232b83d4ed7..8c04728092446 100644 --- a/lib/public/Authentication/Token/IToken.php +++ b/lib/public/Authentication/Token/IToken.php @@ -34,6 +34,15 @@ interface IToken extends JsonSerializable { */ public const REMEMBER = 1; + /** + * @since 30.0.0 + */ + public const SCOPE_FILESYSTEM = 'filesystem'; + /** + * @since 30.0.0 + */ + public const SCOPE_SKIP_PASSWORD_VALIDATION = 'password-unconfirmable'; + /** * Get the token ID * @since 28.0.0 diff --git a/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php index f1030c449e2c9..beee7151264d3 100644 --- a/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php @@ -181,7 +181,7 @@ public function testSSO() { $token = $this->createMock(IToken::class); $token->method('getScopeAsArray') - ->willReturn(['sso-based-login' => true]); + ->willReturn([IToken::SCOPE_SKIP_PASSWORD_VALIDATION => true]); $this->tokenProvider->expects($this->once()) ->method('getToken') ->with($sessionId) diff --git a/tests/lib/Authentication/Token/PublicKeyTokenTest.php b/tests/lib/Authentication/Token/PublicKeyTokenTest.php index acbddebea3590..cc8890002e914 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenTest.php @@ -9,11 +9,12 @@ namespace Test\Authentication\Token; use OC\Authentication\Token\PublicKeyToken; +use OCP\Authentication\Token\IToken; use Test\TestCase; class PublicKeyTokenTest extends TestCase { public function testSetScopeAsArray() { - $scope = ['filesystem' => false]; + $scope = [IToken::SCOPE_FILESYSTEM => false]; $token = new PublicKeyToken(); $token->setScope($scope); $this->assertEquals(json_encode($scope), $token->getScope()); @@ -21,7 +22,7 @@ public function testSetScopeAsArray() { } public function testDefaultScope() { - $scope = ['filesystem' => true]; + $scope = [IToken::SCOPE_FILESYSTEM => true]; $token = new PublicKeyToken(); $this->assertEquals($scope, $token->getScopeAsArray()); } diff --git a/tests/lib/Lockdown/Filesystem/NoFSTest.php b/tests/lib/Lockdown/Filesystem/NoFSTest.php index 084292286478a..7a636fbaaaad3 100644 --- a/tests/lib/Lockdown/Filesystem/NoFSTest.php +++ b/tests/lib/Lockdown/Filesystem/NoFSTest.php @@ -9,6 +9,7 @@ use OC\Authentication\Token\PublicKeyToken; use OC\Files\Filesystem; use OC\Lockdown\Filesystem\NullStorage; +use OCP\Authentication\Token\IToken; use Test\Traits\UserTrait; /** @@ -20,7 +21,7 @@ class NoFSTest extends \Test\TestCase { protected function tearDown(): void { $token = new PublicKeyToken(); $token->setScope([ - 'filesystem' => true + IToken::SCOPE_FILESYSTEM => true ]); \OC::$server->get('LockdownManager')->setToken($token); parent::tearDown(); @@ -30,7 +31,7 @@ protected function setUp(): void { parent::setUp(); $token = new PublicKeyToken(); $token->setScope([ - 'filesystem' => false + IToken::SCOPE_FILESYSTEM => false ]); \OC::$server->get('LockdownManager')->setToken($token); diff --git a/tests/lib/Lockdown/LockdownManagerTest.php b/tests/lib/Lockdown/LockdownManagerTest.php index 5ff5a84e800f1..bb71a6e63de60 100644 --- a/tests/lib/Lockdown/LockdownManagerTest.php +++ b/tests/lib/Lockdown/LockdownManagerTest.php @@ -8,6 +8,7 @@ use OC\Authentication\Token\PublicKeyToken; use OC\Lockdown\LockdownManager; +use OCP\Authentication\Token\IToken; use OCP\ISession; use Test\TestCase; @@ -29,7 +30,7 @@ public function testCanAccessFilesystemDisabled() { public function testCanAccessFilesystemAllowed() { $token = new PublicKeyToken(); - $token->setScope(['filesystem' => true]); + $token->setScope([IToken::SCOPE_FILESYSTEM => true]); $manager = new LockdownManager($this->sessionCallback); $manager->setToken($token); $this->assertTrue($manager->canAccessFilesystem()); @@ -37,7 +38,7 @@ public function testCanAccessFilesystemAllowed() { public function testCanAccessFilesystemNotAllowed() { $token = new PublicKeyToken(); - $token->setScope(['filesystem' => false]); + $token->setScope([IToken::SCOPE_FILESYSTEM => false]); $manager = new LockdownManager($this->sessionCallback); $manager->setToken($token); $this->assertFalse($manager->canAccessFilesystem());