Use true random string as uri for public calendars - as a result we c…

…an no longer return the pre-publish-url
owncloud · Sep 7, 2016 · 416306f · 416306f
1 parent a47b5bf
commit 416306f
Show file tree

Hide file tree

Showing 11 changed files with 70 additions and 42 deletions.
diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php
@@ -45,7 +45,8 @@
 );
 $db = \OC::$server->getDatabaseConnection();
 $config = \OC::$server->getConfig();
-$calDavBackend = new CalDavBackend($db, $principalBackend, $config);
+$random = \OC::$server->getSecureRandom();
+$calDavBackend = new CalDavBackend($db, $principalBackend, $config, $random);
 
 $debugging = \OC::$server->getConfig()->getSystemValue('debug', false);
 

diff --git a/apps/dav/lib/AppInfo/Application.php b/apps/dav/lib/AppInfo/Application.php
@@ -89,11 +89,13 @@ public function __construct (array $urlParams=array()) {
 			/** @var IAppContainer $c */
 			$db = $c->getServer()->getDatabaseConnection();
 			$config = $c->getServer()->getConfig();
+			$random = $c->getServer()->getSecureRandom();
+
 			$principal = new Principal(
 				$c->getServer()->getUserManager(),
 				$c->getServer()->getGroupManager()
 			);
-			return new CalDavBackend($db, $principal, $config);
+			return new CalDavBackend($db, $principal, $config, $random);
 		});
 
 		$container->registerService('BirthdayService', function($c) {

diff --git a/apps/dav/lib/CalDAV/CalDavBackend.php b/apps/dav/lib/CalDAV/CalDavBackend.php
@@ -30,6 +30,7 @@
 use OCA\DAV\DAV\Sharing\Backend;
 use OCP\IConfig;
 use OCP\IDBConnection;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Backend\AbstractBackend;
 use Sabre\CalDAV\Backend\SchedulingSupport;
 use Sabre\CalDAV\Backend\SubscriptionSupport;
@@ -113,18 +114,25 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 	/** @var IConfig */
 	private $config;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	/**
 	 * CalDavBackend constructor.
 	 *
 	 * @param IDBConnection $db
 	 * @param Principal $principalBackend
 	 * @param IConfig $config
 	 */
-	public function __construct(IDBConnection $db, Principal $principalBackend, IConfig $config) {
+	public function __construct(IDBConnection $db,
+								Principal $principalBackend,
+								IConfig $config,
+								ISecureRandom $random) {
 		$this->db = $db;
 		$this->principalBackend = $principalBackend;
 		$this->sharingBackend = new Backend($this->db, $principalBackend, 'calendar');
 		$this->config = $config;
+		$this->random = $random;
 	}
 
 	/**
@@ -347,10 +355,9 @@ public function getPublicCalendar($uri) {
 		if ($row['components']) {
 			$components = explode(',',$row['components']);
 		}
-		$uri = md5($this->config->getSystemValue('secret', '') . $row['id']);
 		$calendar = [
 			'id' => $row['id'],
-			'uri' => $uri,
+			'uri' => $row['publicuri'],
 			'principaluri' => $row['principaluri'],
 			'{' . Plugin::NS_CALENDARSERVER . '}getctag' => 'http://sabre.io/ns/sync/' . ($row['synctoken']?$row['synctoken']:'0'),
 			'{http://sabredav.org/ns}sync-token' => $row['synctoken']?$row['synctoken']:'0',
@@ -1541,24 +1548,28 @@ public function getShares($resourceId) {
 	/**
 	 * @param boolean $value
 	 * @param \OCA\DAV\CalDAV\Calendar $calendar
+	 * @return string|null
 	 */
 	public function setPublishStatus($value, $calendar) {
 		$query = $this->db->getQueryBuilder();
 		if ($value) {
+			$publicUri = $this->random->generate(16, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS);
 			$query->insert('dav_shares')
 				->values([
 					'principaluri' => $query->createNamedParameter($calendar->getPrincipalURI()),
 					'type' => $query->createNamedParameter('calendar'),
 					'access' => $query->createNamedParameter(self::ACCESS_PUBLIC),
 					'resourceid' => $query->createNamedParameter($calendar->getResourceId()),
-					'publicuri' => $query->createNamedParameter(md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId()))
+					'publicuri' => $query->createNamedParameter($publicUri)
 				]);
-		} else {
-			$query->delete('dav_shares')
-				->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
-				->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
+			$query->execute();
+			return $publicUri;
 		}
+		$query->delete('dav_shares')
+			->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
+			->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
 		$query->execute();
+		return null;
 	}
 
 	/**

diff --git a/apps/dav/lib/CalDAV/Calendar.php b/apps/dav/lib/CalDAV/Calendar.php
@@ -251,9 +251,12 @@ function calendarQuery(array $filters) {
 
 	/**
 	 * @param boolean $value
+	 * @return string|null
 	 */
 	function setPublishStatus($value) {
-		$this->caldavBackend->setPublishStatus($value, $this);
+		$publicUri = $this->caldavBackend->setPublishStatus($value, $this);
+		$this->calendarInfo['publicuri'] = $publicUri;
+		return $publicUri;
 	}
 
 	/**

diff --git a/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php b/apps/dav/lib/CalDAV/Publishing/PublishPlugin.php
@@ -94,22 +94,16 @@ public function initialize(Server $server) {
 
 	public function propFind(PropFind $propFind, INode $node) {
 		if ($node instanceof Calendar) {
-			$token = md5($this->config->getSystemValue('secret', '').$node->getResourceId());
-
-			$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
-
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node, $publishUrl) {
+			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node) {
 				if ($node->getPublishStatus()) {
 					// We return the publish-url only if the calendar is published.
+					$token = $node->getName();
+					$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
+
 					return new Publisher($publishUrl, true);
 				}
 			});
 
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}pre-publish-url', function () use ($node, $publishUrl) {
-				// The pre-publish-url is always returned
-				return new Publisher($publishUrl, false);
-			});
-
 			$propFind->handle('{'.self::NS_CALENDARSERVER.'}allowed-sharing-modes', function() use ($node) {
 				return new AllowedSharingModes(!$node->isSubscription(), !$node->isSubscription());
 			});

diff --git a/apps/dav/lib/Command/CreateCalendar.php b/apps/dav/lib/Command/CreateCalendar.php
@@ -75,9 +75,10 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			$this->groupManager
 		);
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
 
 		$name = $input->getArgument('name');
-		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $config);
+		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $config, $random);
 		$caldav->createCalendar("principals/users/$user", $name, []);
 	}
 }
diff --git a/apps/dav/lib/DAV/PublicAuth.php b/apps/dav/lib/DAV/PublicAuth.php
@@ -86,10 +86,6 @@ function challenge(RequestInterface $request, ResponseInterface $response) {
 	 * @return bool
 	 */
 	private function isRequestPublic(RequestInterface $request) {
-		$params = $request->getQueryParameters();
-		if (isset($params['sabreAction']) && $params['sabreAction'] == 'asset') {
-			return true;
-		}
 		$url = $request->getPath();
 		$matchingUrls = array_filter($this->publicURLs, function ($publicUrl) use ($url) {
 			return strpos($url, $publicUrl, 0) === 0;

diff --git a/apps/dav/lib/RootCollection.php b/apps/dav/lib/RootCollection.php
@@ -38,6 +38,7 @@ class RootCollection extends SimpleCollection {
 
 	public function __construct() {
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
 		$db = \OC::$server->getDatabaseConnection();
 		$dispatcher = \OC::$server->getEventDispatcher();
 		$userPrincipalBackend = new Principal(
@@ -59,7 +60,7 @@ public function __construct() {
 		$systemPrincipals->disableListing = $disableListing;
 		$filesCollection = new Files\RootCollection($userPrincipalBackend, 'principals/users');
 		$filesCollection->disableListing = $disableListing;
-		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, $config);
+		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, $config, $random);
 		$calendarRoot = new CalendarRoot($userPrincipalBackend, $caldavBackend, 'principals/users');
 		$calendarRoot->disableListing = $disableListing;
 		$publicCalendarRoot = new PublicCalendarRoot($caldavBackend);

diff --git a/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php
@@ -25,6 +25,7 @@
 use OCA\DAV\Connector\Sabre\Principal;
 use OCP\IL10N;
 use OCP\IConfig;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet;
 use Test\TestCase;
 
@@ -50,6 +51,9 @@ abstract class AbstractCalDavBackendTest extends TestCase {
 	const UNIT_TEST_USER1 = 'principals/users/caldav-unit-test1';
 	const UNIT_TEST_GROUP = 'principals/groups/caldav-unit-test-group';
 
+	/** @var ISecureRandom */
+	private $random;
+
 	public function setUp() {
 		parent::setUp();
 
@@ -67,7 +71,8 @@ public function setUp() {
 
 		$db = \OC::$server->getDatabaseConnection();
 		$this->config = \OC::$server->getConfig();
-		$this->backend = new CalDavBackend($db, $this->principal, $this->config);
+		$this->random = \OC::$server->getSecureRandom();
+		$this->backend = new CalDavBackend($db, $this->principal, $this->config, $this->random);
 
 		$this->tearDown();
 	}

diff --git a/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php b/apps/dav/tests/unit/CalDAV/CalDavBackendTest.php
@@ -348,7 +348,7 @@ public function testPublications() {
 		$this->assertEquals(1, count($publicCalendars));
 		$this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']);
 
-		$publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId());
+		$publicCalendarURI = $publicCalendars[0]['uri'];
 		$publicCalendar = $this->backend->getPublicCalendar($publicCalendarURI);
 		$this->assertEquals(true, $publicCalendar['{http://owncloud.org/ns}public']);
 

diff --git a/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php b/apps/dav/tests/unit/CalDAV/PublicCalendarRootTest.php
@@ -4,11 +4,10 @@
 
 use OCA\DAV\CalDAV\Calendar;
 use OCP\IL10N;
-use OCP\IConfig;
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\PublicCalendarRoot;
+use OCP\Security\ISecureRandom;
 use Test\TestCase;
-use Sabre\Uri;
 
 /**
  * Class PublicCalendarRootTest
@@ -35,6 +34,9 @@ class PublicCalendarRootTest extends TestCase {
 
 	private $principal;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	public function setUp() {
 		parent::setUp();
 
@@ -43,15 +45,28 @@ public function setUp() {
 			->disableOriginalConstructor()
 			->getMock();
 		$this->config = \OC::$server->getConfig();
+		$this->random = \OC::$server->getSecureRandom();
 
-		$this->backend = new CalDavBackend($db, $this->principal, $this->config);
+		$this->backend = new CalDavBackend($db, $this->principal, $this->config, $this->random);
 
 		$this->publicCalendarRoot = new PublicCalendarRoot($this->backend);
 
 		$this->l10n = $this->getMockBuilder('\OCP\IL10N')
 			->disableOriginalConstructor()->getMock();
 	}
 
+	public function tearDown() {
+		parent::tearDown();
+
+		if (is_null($this->backend)) {
+			return;
+		}
+		$books = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER);
+		foreach ($books as $book) {
+			$this->backend->deleteCalendar($book['id']);
+		}
+	}
+
 	public function testGetName() {
 		$name = $this->publicCalendarRoot->getName();
 		$this->assertEquals('public-calendars', $name);
@@ -61,21 +76,25 @@ public function testGetChild() {
 
 		$calendar = $this->createPublicCalendar();
 
-		$publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId());
+		$publicCalendars = $this->backend->getPublicCalendars();
+		$this->assertEquals(1, count($publicCalendars));
+		$this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']);
+
+		$publicCalendarURI = $publicCalendars[0]['uri'];
 
 		$calendarResult = $this->publicCalendarRoot->getChild($publicCalendarURI);
 		$this->assertEquals($calendar, $calendarResult);
 	}
 
 	public function testGetChildren() {
+		$this->createPublicCalendar();
 
 		$publicCalendars = $this->backend->getPublicCalendars();
 
 		$calendarResults = $this->publicCalendarRoot->getChildren();
 
 		$this->assertEquals(1, count($calendarResults));
 		$this->assertEquals(new Calendar($this->backend, $publicCalendars[0], $this->l10n), $calendarResults[0]);
-
 	}
 
 	/**
@@ -85,16 +104,11 @@ protected function createPublicCalendar() {
 		$this->backend->createCalendar(self::UNIT_TEST_USER, 'Example', []);
 
 		$calendarInfo = $this->backend->getCalendarsForUser(self::UNIT_TEST_USER)[0];
+		$calendar = new Calendar($this->backend, $calendarInfo, $this->l10n);
+		$publicUri = $calendar->setPublishStatus(true);
 
-		$calendarInfo['uri'] = md5($this->config->getSystemValue('secret', '') . $calendarInfo['id']);
-		list(, $name) = Uri\split($calendarInfo['principaluri']);
-		$calendarInfo['{DAV:}displayname'] = $calendarInfo['{DAV:}displayname'] . ' (' . $name . ')';
-		$calendarInfo['{http://owncloud.org/ns}owner-principal'] = $calendarInfo['principaluri'];
-		$calendarInfo['{http://owncloud.org/ns}read-only'] = false;
-		$calendarInfo['{http://owncloud.org/ns}public'] = true;
-
+		$calendarInfo = $this->backend->getPublicCalendar($publicUri);
 		$calendar = new Calendar($this->backend, $calendarInfo, $this->l10n);
-		$calendar->setPublishStatus(true);
 
 		return $calendar;
 	}