-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
Expand file tree
/
Copy pathAjaxController.php
More file actions
143 lines (129 loc) · 4.27 KB
/
Copy pathAjaxController.php
File metadata and controls
143 lines (129 loc) · 4.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<?php
/**
* SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OCA\Files_External\Controller;
use OC\Settings\AuthorizedGroupMapper;
use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
use OCA\Files_External\Lib\Auth\PublicKey\RSA;
use OCA\Files_External\Settings\Admin;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
use OCP\AppFramework\Http\JSONResponse;
use OCP\IGroupManager;
use OCP\IL10N;
use OCP\IRequest;
use OCP\IUserManager;
use OCP\IUserSession;
class AjaxController extends Controller {
/**
* @param string $appName
* @param IRequest $request
* @param RSA $rsaMechanism
* @param GlobalAuth $globalAuth
* @param IUserSession $userSession
* @param IGroupManager $groupManager
*/
public function __construct(
$appName,
IRequest $request,
private RSA $rsaMechanism,
private GlobalAuth $globalAuth,
private IUserSession $userSession,
private IGroupManager $groupManager,
private IUserManager $userManager,
private IL10N $l10n,
private AuthorizedGroupMapper $authorizedGroupMapper,
) {
parent::__construct($appName, $request);
}
/**
* Returns a list of users and groups that match the given pattern.
* Used for user and group picker in the admin settings.
*
* @param string $pattern The search pattern
* @param int|null $limit The maximum number of results to return
* @param int|null $offset The offset from which to start returning results
* @return JSONResponse
*/
#[AuthorizedAdminSetting(settings: Admin::class)]
public function getApplicableEntities(string $pattern = '', ?int $limit = null, ?int $offset = null): JSONResponse {
$groups = [];
foreach ($this->groupManager->search($pattern, $limit, $offset) as $group) {
$groups[$group->getGID()] = $group->getDisplayName();
}
$users = [];
foreach ($this->userManager->searchDisplayName($pattern, $limit, $offset) as $user) {
$users[$user->getUID()] = $user->getDisplayName();
}
$results = ['groups' => $groups, 'users' => $users];
return new JSONResponse($results);
}
/**
* @param int $keyLength
* @return array
*/
private function generateSshKeys($keyLength) {
$key = $this->rsaMechanism->createKey($keyLength);
// Replace the placeholder label with a more meaningful one
$key['publickey'] = str_replace('phpseclib-generated-key', gethostname(), $key['publickey']);
return $key;
}
/**
* Generates an SSH public/private key pair.
*
* @param int $keyLength
*/
#[NoAdminRequired]
public function getSshKeys($keyLength = 1024) {
$key = $this->generateSshKeys($keyLength);
return new JSONResponse([
'data' => [
'private_key' => $key['privatekey'],
'public_key' => $key['publickey']
],
'status' => 'success',
]);
}
/**
* @param string $uid
* @param string $user
* @param string $password
* @return JSONResponse
*/
#[NoAdminRequired]
#[PasswordConfirmationRequired(strict: true)]
public function saveGlobalCredentials($uid, $user, $password): JSONResponse {
$currentUser = $this->userSession->getUser();
if ($currentUser === null) {
return new JSONResponse([
'status' => 'error',
'message' => $this->l10n->t('You are not logged in'),
], Http::STATUS_UNAUTHORIZED);
}
// Non-admins can only edit their own credentials.
// Admin or delegated admin can edit global credentials (uid === '').
// Cannot use #[AuthorizedAdminSetting] here because this endpoint is
// #[NoAdminRequired] and must also allow users to edit their own (uid !== '')
// credentials — the two paths share one method.
$allowedToEdit = $uid === ''
? $this->groupManager->isAdmin($currentUser->getUID())
|| in_array(Admin::class, $this->authorizedGroupMapper->findAllClassesForUser($currentUser), true)
: $currentUser->getUID() === $uid;
if ($allowedToEdit) {
$this->globalAuth->saveAuth($uid, $user, $password);
return new JSONResponse([
'status' => 'success',
]);
}
return new JSONResponse([
'status' => 'success',
'message' => $this->l10n->t('Permission denied'),
], Http::STATUS_FORBIDDEN);
}
}