1
0

AppConfigController.php 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCA\Provisioning_API\Controller;
  8. use OC\AppConfig;
  9. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
  10. use OCP\App\IAppManager;
  11. use OCP\AppFramework\Http;
  12. use OCP\AppFramework\Http\Attribute\NoAdminRequired;
  13. use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
  14. use OCP\AppFramework\Http\DataResponse;
  15. use OCP\AppFramework\OCSController;
  16. use OCP\Exceptions\AppConfigUnknownKeyException;
  17. use OCP\IAppConfig;
  18. use OCP\IGroupManager;
  19. use OCP\IL10N;
  20. use OCP\IRequest;
  21. use OCP\IUser;
  22. use OCP\IUserSession;
  23. use OCP\Settings\IDelegatedSettings;
  24. use OCP\Settings\IManager;
  25. class AppConfigController extends OCSController {
  26. public function __construct(
  27. string $appName,
  28. IRequest $request,
  29. /** @var AppConfig */
  30. private IAppConfig $appConfig,
  31. private IUserSession $userSession,
  32. private IL10N $l10n,
  33. private IGroupManager $groupManager,
  34. private IManager $settingManager,
  35. private IAppManager $appManager,
  36. ) {
  37. parent::__construct($appName, $request);
  38. }
  39. /**
  40. * Get a list of apps
  41. *
  42. * @return DataResponse<Http::STATUS_OK, array{data: list<string>}, array{}>
  43. *
  44. * 200: Apps returned
  45. */
  46. public function getApps(): DataResponse {
  47. return new DataResponse([
  48. 'data' => $this->appConfig->getApps(),
  49. ]);
  50. }
  51. /**
  52. * Get the config keys of an app
  53. *
  54. * @param string $app ID of the app
  55. * @return DataResponse<Http::STATUS_OK, array{data: list<string>}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  56. *
  57. * 200: Keys returned
  58. * 403: App is not allowed
  59. */
  60. public function getKeys(string $app): DataResponse {
  61. try {
  62. $this->verifyAppId($app);
  63. } catch (\InvalidArgumentException $e) {
  64. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  65. }
  66. return new DataResponse([
  67. 'data' => $this->appConfig->getKeys($app),
  68. ]);
  69. }
  70. /**
  71. * Get a the config value of an app
  72. *
  73. * @param string $app ID of the app
  74. * @param string $key Key
  75. * @param string $defaultValue Default returned value if the value is empty
  76. * @return DataResponse<Http::STATUS_OK, array{data: string}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  77. *
  78. * 200: Value returned
  79. * 403: App is not allowed
  80. */
  81. public function getValue(string $app, string $key, string $defaultValue = ''): DataResponse {
  82. try {
  83. $this->verifyAppId($app);
  84. } catch (\InvalidArgumentException $e) {
  85. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  86. }
  87. /** @psalm-suppress InternalMethod */
  88. $value = $this->appConfig->getValueMixed($app, $key, $defaultValue, null);
  89. return new DataResponse(['data' => $value]);
  90. }
  91. /**
  92. * @NoSubAdminRequired
  93. *
  94. * Update the config value of an app
  95. *
  96. * @param string $app ID of the app
  97. * @param string $key Key to update
  98. * @param string $value New value for the key
  99. * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  100. *
  101. * 200: Value updated successfully
  102. * 403: App or key is not allowed
  103. */
  104. #[PasswordConfirmationRequired]
  105. #[NoAdminRequired]
  106. public function setValue(string $app, string $key, string $value): DataResponse {
  107. $user = $this->userSession->getUser();
  108. if ($user === null) {
  109. throw new \Exception('User is not logged in.'); // Should not happen, since method is guarded by middleware
  110. }
  111. if (!$this->isAllowedToChangedKey($user, $app, $key)) {
  112. throw new NotAdminException($this->l10n->t('Logged in account must be an administrator or have authorization to edit this setting.'));
  113. }
  114. try {
  115. $this->verifyAppId($app);
  116. $this->verifyConfigKey($app, $key, $value);
  117. } catch (\InvalidArgumentException $e) {
  118. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  119. }
  120. $type = null;
  121. try {
  122. $configDetails = $this->appConfig->getDetails($app, $key);
  123. $type = $configDetails['type'];
  124. } catch (AppConfigUnknownKeyException) {
  125. }
  126. /** @psalm-suppress InternalMethod */
  127. match ($type) {
  128. IAppConfig::VALUE_BOOL => $this->appConfig->setValueBool($app, $key, (bool)$value),
  129. IAppConfig::VALUE_FLOAT => $this->appConfig->setValueFloat($app, $key, (float)$value),
  130. IAppConfig::VALUE_INT => $this->appConfig->setValueInt($app, $key, (int)$value),
  131. IAppConfig::VALUE_STRING => $this->appConfig->setValueString($app, $key, $value),
  132. IAppConfig::VALUE_ARRAY => $this->appConfig->setValueArray($app, $key, \json_decode($value, true)),
  133. default => $this->appConfig->setValueMixed($app, $key, $value),
  134. };
  135. return new DataResponse();
  136. }
  137. /**
  138. * Delete a config key of an app
  139. *
  140. * @param string $app ID of the app
  141. * @param string $key Key to delete
  142. * @return DataResponse<Http::STATUS_OK, list<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  143. *
  144. * 200: Key deleted successfully
  145. * 403: App or key is not allowed
  146. */
  147. #[PasswordConfirmationRequired]
  148. public function deleteKey(string $app, string $key): DataResponse {
  149. try {
  150. $this->verifyAppId($app);
  151. $this->verifyConfigKey($app, $key, '');
  152. } catch (\InvalidArgumentException $e) {
  153. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  154. }
  155. $this->appConfig->deleteKey($app, $key);
  156. return new DataResponse();
  157. }
  158. /**
  159. * @throws \InvalidArgumentException
  160. */
  161. protected function verifyAppId(string $app): void {
  162. if ($this->appManager->cleanAppId($app) !== $app) {
  163. throw new \InvalidArgumentException('Invalid app id given');
  164. }
  165. }
  166. /**
  167. * @param string $app
  168. * @param string $key
  169. * @param string $value
  170. * @throws \InvalidArgumentException
  171. */
  172. protected function verifyConfigKey(string $app, string $key, string $value) {
  173. if (in_array($key, ['installed_version', 'enabled', 'types'])) {
  174. throw new \InvalidArgumentException('The given key can not be set');
  175. }
  176. if ($app === 'core' && $key === 'encryption_enabled' && $value !== 'yes') {
  177. throw new \InvalidArgumentException('The given key can not be set');
  178. }
  179. if ($app === 'core' && (strpos($key, 'public_') === 0 || strpos($key, 'remote_') === 0)) {
  180. throw new \InvalidArgumentException('The given key can not be set');
  181. }
  182. if ($app === 'files'
  183. && $key === 'default_quota'
  184. && $value === 'none'
  185. && $this->appConfig->getValueInt('files', 'allow_unlimited_quota', 1) === 0) {
  186. throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
  187. }
  188. }
  189. private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
  190. // Admin right verification
  191. $isAdmin = $this->groupManager->isAdmin($user->getUID());
  192. if ($isAdmin) {
  193. return true;
  194. }
  195. $settings = $this->settingManager->getAllAllowedAdminSettings($user);
  196. foreach ($settings as $setting) {
  197. if (!($setting instanceof IDelegatedSettings)) {
  198. continue;
  199. }
  200. $allowedKeys = $setting->getAuthorizedAppConfig();
  201. if (!array_key_exists($app, $allowedKeys)) {
  202. continue;
  203. }
  204. foreach ($allowedKeys[$app] as $regex) {
  205. if ($regex === $key
  206. || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
  207. return true;
  208. }
  209. }
  210. }
  211. return false;
  212. }
  213. }