1
0

AppConfigController.php 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
  5. *
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Kate Döen <kate.doeen@nextcloud.com>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OCA\Provisioning_API\Controller;
  27. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
  28. use OCP\AppFramework\Http;
  29. use OCP\AppFramework\Http\DataResponse;
  30. use OCP\AppFramework\OCSController;
  31. use OCP\IAppConfig;
  32. use OCP\IConfig;
  33. use OCP\IGroupManager;
  34. use OCP\IL10N;
  35. use OCP\IRequest;
  36. use OCP\IUser;
  37. use OCP\IUserSession;
  38. use OCP\Settings\IDelegatedSettings;
  39. use OCP\Settings\IManager;
  40. class AppConfigController extends OCSController {
  41. /** @var IConfig */
  42. protected $config;
  43. /** @var IAppConfig */
  44. protected $appConfig;
  45. /** @var IUserSession */
  46. private $userSession;
  47. /** @var IL10N */
  48. private $l10n;
  49. /** @var IGroupManager */
  50. private $groupManager;
  51. /** @var IManager */
  52. private $settingManager;
  53. /**
  54. * @param string $appName
  55. * @param IRequest $request
  56. * @param IConfig $config
  57. * @param IAppConfig $appConfig
  58. */
  59. public function __construct(string $appName,
  60. IRequest $request,
  61. IConfig $config,
  62. IAppConfig $appConfig,
  63. IUserSession $userSession,
  64. IL10N $l10n,
  65. IGroupManager $groupManager,
  66. IManager $settingManager) {
  67. parent::__construct($appName, $request);
  68. $this->config = $config;
  69. $this->appConfig = $appConfig;
  70. $this->userSession = $userSession;
  71. $this->l10n = $l10n;
  72. $this->groupManager = $groupManager;
  73. $this->settingManager = $settingManager;
  74. }
  75. /**
  76. * Get a list of apps
  77. *
  78. * @return DataResponse<Http::STATUS_OK, array{data: string[]}, array{}>
  79. *
  80. * 200: Apps returned
  81. */
  82. public function getApps(): DataResponse {
  83. return new DataResponse([
  84. 'data' => $this->appConfig->getApps(),
  85. ]);
  86. }
  87. /**
  88. * Get the config keys of an app
  89. *
  90. * @param string $app ID of the app
  91. * @return DataResponse<Http::STATUS_OK, array{data: string[]}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  92. *
  93. * 200: Keys returned
  94. * 403: App is not allowed
  95. */
  96. public function getKeys(string $app): DataResponse {
  97. try {
  98. $this->verifyAppId($app);
  99. } catch (\InvalidArgumentException $e) {
  100. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  101. }
  102. return new DataResponse([
  103. 'data' => $this->config->getAppKeys($app),
  104. ]);
  105. }
  106. /**
  107. * Get a the config value of an app
  108. *
  109. * @param string $app ID of the app
  110. * @param string $key Key
  111. * @param string $defaultValue Default returned value if the value is empty
  112. * @return DataResponse<Http::STATUS_OK, array{data: string}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  113. *
  114. * 200: Value returned
  115. * 403: App is not allowed
  116. */
  117. public function getValue(string $app, string $key, string $defaultValue = ''): DataResponse {
  118. try {
  119. $this->verifyAppId($app);
  120. } catch (\InvalidArgumentException $e) {
  121. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  122. }
  123. return new DataResponse([
  124. 'data' => $this->config->getAppValue($app, $key, $defaultValue),
  125. ]);
  126. }
  127. /**
  128. * @PasswordConfirmationRequired
  129. * @NoSubAdminRequired
  130. * @NoAdminRequired
  131. *
  132. * Update the config value of an app
  133. *
  134. * @param string $app ID of the app
  135. * @param string $key Key to update
  136. * @param string $value New value for the key
  137. * @return DataResponse<Http::STATUS_OK, array<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  138. *
  139. * 200: Value updated successfully
  140. * 403: App or key is not allowed
  141. */
  142. public function setValue(string $app, string $key, string $value): DataResponse {
  143. $user = $this->userSession->getUser();
  144. if ($user === null) {
  145. throw new \Exception("User is not logged in."); // Should not happen, since method is guarded by middleware
  146. }
  147. if (!$this->isAllowedToChangedKey($user, $app, $key)) {
  148. throw new NotAdminException($this->l10n->t('Logged in user must be an administrator or have authorization to edit this setting.'));
  149. }
  150. try {
  151. $this->verifyAppId($app);
  152. $this->verifyConfigKey($app, $key, $value);
  153. } catch (\InvalidArgumentException $e) {
  154. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  155. }
  156. $this->config->setAppValue($app, $key, $value);
  157. return new DataResponse();
  158. }
  159. /**
  160. * @PasswordConfirmationRequired
  161. *
  162. * Delete a config key of an app
  163. *
  164. * @param string $app ID of the app
  165. * @param string $key Key to delete
  166. * @return DataResponse<Http::STATUS_OK, array<empty>, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array{data: array{message: string}}, array{}>
  167. *
  168. * 200: Key deleted successfully
  169. * 403: App or key is not allowed
  170. */
  171. public function deleteKey(string $app, string $key): DataResponse {
  172. try {
  173. $this->verifyAppId($app);
  174. $this->verifyConfigKey($app, $key, '');
  175. } catch (\InvalidArgumentException $e) {
  176. return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_FORBIDDEN);
  177. }
  178. $this->config->deleteAppValue($app, $key);
  179. return new DataResponse();
  180. }
  181. /**
  182. * @param string $app
  183. * @throws \InvalidArgumentException
  184. */
  185. protected function verifyAppId(string $app) {
  186. if (\OC_App::cleanAppId($app) !== $app) {
  187. throw new \InvalidArgumentException('Invalid app id given');
  188. }
  189. }
  190. /**
  191. * @param string $app
  192. * @param string $key
  193. * @param string $value
  194. * @throws \InvalidArgumentException
  195. */
  196. protected function verifyConfigKey(string $app, string $key, string $value) {
  197. if (in_array($key, ['installed_version', 'enabled', 'types'])) {
  198. throw new \InvalidArgumentException('The given key can not be set');
  199. }
  200. if ($app === 'core' && $key === 'encryption_enabled' && $value !== 'yes') {
  201. throw new \InvalidArgumentException('The given key can not be set');
  202. }
  203. if ($app === 'core' && (strpos($key, 'public_') === 0 || strpos($key, 'remote_') === 0)) {
  204. throw new \InvalidArgumentException('The given key can not be set');
  205. }
  206. if ($app === 'files'
  207. && $key === 'default_quota'
  208. && $value === 'none'
  209. && $this->config->getAppValue('files', 'allow_unlimited_quota', '1') === '0') {
  210. throw new \InvalidArgumentException('The given key can not be set, unlimited quota is forbidden on this instance');
  211. }
  212. }
  213. private function isAllowedToChangedKey(IUser $user, string $app, string $key): bool {
  214. // Admin right verification
  215. $isAdmin = $this->groupManager->isAdmin($user->getUID());
  216. if ($isAdmin) {
  217. return true;
  218. }
  219. $settings = $this->settingManager->getAllAllowedAdminSettings($user);
  220. foreach ($settings as $setting) {
  221. if (!($setting instanceof IDelegatedSettings)) {
  222. continue;
  223. }
  224. $allowedKeys = $setting->getAuthorizedAppConfig();
  225. if (!array_key_exists($app, $allowedKeys)) {
  226. continue;
  227. }
  228. foreach ($allowedKeys[$app] as $regex) {
  229. if ($regex === $key
  230. || (str_starts_with($regex, '/') && preg_match($regex, $key) === 1)) {
  231. return true;
  232. }
  233. }
  234. }
  235. return false;
  236. }
  237. }