Allow restricting of app password permissions

apps/dav/lib/Connector/Sabre/Auth.php

@@ -159,6 +159,7 @@ function check(RequestInterface $request, ResponseInterface $response) {
 		} catch (Exception $e) {
 			$class = get_class($e);
 			$msg = $e->getMessage();
+			\OC::$server->getLogger()->logException($e);
 			throw new ServiceUnavailable("$class: $msg");
 		}
 	}

db_structure.xml

@@ -1152,6 +1152,13 @@
 				<length>4</length>
 			</field>
 
+			<field>
+				<name>scope</name>
+				<type>clob</type>
+				<default></default>
+				<notnull>false</notnull>
+			</field>
+
 			<index>
 				<name>authtoken_token_index</name>
 				<unique>true</unique>

lib/composer/composer/autoload_classmap.php

@@ -189,6 +189,7 @@
     'OCP\\LDAP\\ILDAPProviderFactory' => $baseDir . '/lib/public/LDAP/ILDAPProviderFactory.php',
     'OCP\\Lock\\ILockingProvider' => $baseDir . '/lib/public/Lock/ILockingProvider.php',
     'OCP\\Lock\\LockedException' => $baseDir . '/lib/public/Lock/LockedException.php',
+    'OCP\\Lockdown\\ILockdownManager' => $baseDir . '/lib/public/Lockdown/ILockdownManager.php',
     'OCP\\Mail\\IMailer' => $baseDir . '/lib/public/Mail/IMailer.php',
     'OCP\\Migration\\IOutput' => $baseDir . '/lib/public/Migration/IOutput.php',
     'OCP\\Migration\\IRepairStep' => $baseDir . '/lib/public/Migration/IRepairStep.php',
@@ -580,6 +581,9 @@
     'OC\\Lock\\DBLockingProvider' => $baseDir . '/lib/private/Lock/DBLockingProvider.php',
     'OC\\Lock\\MemcacheLockingProvider' => $baseDir . '/lib/private/Lock/MemcacheLockingProvider.php',
     'OC\\Lock\\NoopLockingProvider' => $baseDir . '/lib/private/Lock/NoopLockingProvider.php',
+    'OC\\Lockdown\\Filesystem\\NullCache' => $baseDir . '/lib/private/Lockdown/Filesystem/NullCache.php',
+    'OC\\Lockdown\\Filesystem\\NullStorage' => $baseDir . '/lib/private/Lockdown/Filesystem/NullStorage.php',
+    'OC\\Lockdown\\LockdownManager' => $baseDir . '/lib/private/Lockdown/LockdownManager.php',
     'OC\\Log' => $baseDir . '/lib/private/Log.php',
     'OC\\Log\\ErrorHandler' => $baseDir . '/lib/private/Log/ErrorHandler.php',
     'OC\\Log\\Errorlog' => $baseDir . '/lib/private/Log/Errorlog.php',

lib/composer/composer/autoload_static.php

@@ -219,6 +219,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OCP\\LDAP\\ILDAPProviderFactory' => __DIR__ . '/../../..' . '/lib/public/LDAP/ILDAPProviderFactory.php',
         'OCP\\Lock\\ILockingProvider' => __DIR__ . '/../../..' . '/lib/public/Lock/ILockingProvider.php',
         'OCP\\Lock\\LockedException' => __DIR__ . '/../../..' . '/lib/public/Lock/LockedException.php',
+        'OCP\\Lockdown\\ILockdownManager' => __DIR__ . '/../../..' . '/lib/public/Lockdown/ILockdownManager.php',
         'OCP\\Mail\\IMailer' => __DIR__ . '/../../..' . '/lib/public/Mail/IMailer.php',
         'OCP\\Migration\\IOutput' => __DIR__ . '/../../..' . '/lib/public/Migration/IOutput.php',
         'OCP\\Migration\\IRepairStep' => __DIR__ . '/../../..' . '/lib/public/Migration/IRepairStep.php',
@@ -610,6 +611,9 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Lock\\DBLockingProvider' => __DIR__ . '/../../..' . '/lib/private/Lock/DBLockingProvider.php',
         'OC\\Lock\\MemcacheLockingProvider' => __DIR__ . '/../../..' . '/lib/private/Lock/MemcacheLockingProvider.php',
         'OC\\Lock\\NoopLockingProvider' => __DIR__ . '/../../..' . '/lib/private/Lock/NoopLockingProvider.php',
+        'OC\\Lockdown\\Filesystem\\NullCache' => __DIR__ . '/../../..' . '/lib/private/Lockdown/Filesystem/NullCache.php',
+        'OC\\Lockdown\\Filesystem\\NullStorage' => __DIR__ . '/../../..' . '/lib/private/Lockdown/Filesystem/NullStorage.php',
+        'OC\\Lockdown\\LockdownManager' => __DIR__ . '/../../..' . '/lib/private/Lockdown/LockdownManager.php',
         'OC\\Log' => __DIR__ . '/../../..' . '/lib/private/Log.php',
         'OC\\Log\\ErrorHandler' => __DIR__ . '/../../..' . '/lib/private/Log/ErrorHandler.php',
         'OC\\Log\\Errorlog' => __DIR__ . '/../../..' . '/lib/private/Log/Errorlog.php',

lib/private/Authentication/Token/DefaultToken.php

@@ -87,6 +87,17 @@ class DefaultToken extends Entity implements IToken {
 	 */
 	protected $lastCheck;
 
+	/**
+	 * @var string
+	 */
+	protected $scope;
+
+	public function __construct() {
+		$this->addType('type', 'int');
+		$this->addType('lastActivity', 'int');
+		$this->addType('lastCheck', 'int');
+	}
+
 	public function getId() {
 		return $this->id;
 	}
@@ -119,6 +130,7 @@ public function jsonSerialize() {
 			'name' => $this->name,
 			'lastActivity' => $this->lastActivity,
 			'type' => $this->type,
+			'scope' => $this->getScopeAsArray()
 		];
 	}
 
@@ -140,4 +152,25 @@ public function setLastCheck($time) {
 		return parent::setLastCheck($time);
 	}
 
+	public function getScope() {
+		return parent::getScope();
+	}
+
+	public function getScopeAsArray() {
+		$scope = json_decode($this->getScope(), true);
+		if (!$scope) {
+			return [
+				'filesystem'=> true
+			];
+		}
+		return $scope;
+	}
+
+	public function setScope($scope) {
+		if (is_array($scope)) {
+			parent::setScope(json_encode($scope));
+		} else {
+			parent::setScope((string)$scope);
+		}
+	}
 }

lib/private/Authentication/Token/DefaultTokenMapper.php

@@ -72,17 +72,40 @@ public function invalidateOld($olderThan, $remember = IToken::DO_NOT_REMEMBER) {
 	public function getToken($token) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
-			->where($qb->expr()->eq('token', $qb->createParameter('token')))
-			->setParameter('token', $token)
+			->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
 			->execute();
 
 		$data = $result->fetch();
 		$result->closeCursor();
 		if ($data === false) {
 			throw new DoesNotExistException('token does not exist');
 		}
+;
+		return DefaultToken::fromRow($data);
+	}
+
+	/**
+	 * Get the token for $id
+	 *
+	 * @param string $id
+	 * @throws DoesNotExistException
+	 * @return DefaultToken
+	 */
+	public function getTokenById($id) {
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'token', 'last_activity', 'last_check', 'scope')
+			->from('authtoken')
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+			->execute();
+
+		$data = $result->fetch();
+		$result->closeCursor();
+		if ($data === false) {
+			throw new DoesNotExistException('token does not exist');
+		};
 		return DefaultToken::fromRow($data);
 	}
 
@@ -98,7 +121,7 @@ public function getToken($token) {
 	public function getTokenByUser(IUser $user) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
 			->setMaxResults(1000);

lib/private/Authentication/Token/DefaultTokenProvider.php

@@ -145,7 +145,7 @@ public function getTokenByUser(IUser $user) {
 	}
 
 	/**
-	 * Get a token by token id
+	 * Get a token by token
 	 *
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
@@ -159,6 +159,21 @@ public function getToken($tokenId) {
 		}
 	}
 
+	/**
+	 * Get a token by token id
+	 *
+	 * @param string $tokenId
+	 * @throws InvalidTokenException
+	 * @return DefaultToken
+	 */
+	public function getTokenById($tokenId) {
+		try {
+			return $this->mapper->getTokenById($tokenId);
+		} catch (DoesNotExistException $ex) {
+			throw new InvalidTokenException();
+		}
+	}
+
 	/**
 	 * @param string $oldSessionId
 	 * @param string $sessionId

lib/private/Authentication/Token/IProvider.php

@@ -50,7 +50,16 @@ public function generateToken($token, $uid, $loginName, $password, $name, $type
 	 * @throws InvalidTokenException
 	 * @return IToken
 	 */
-	public function getToken($tokenId) ;
+	public function getToken($tokenId);
+
+	/**
+	 * Get a token by token id
+	 *
+	 * @param string $tokenId
+	 * @throws InvalidTokenException
+	 * @return DefaultToken
+	 */
+	public function getTokenById($tokenId);
 
 	/**
 	 * Duplicate an existing session token

lib/private/Authentication/Token/IToken.php

@@ -67,9 +67,30 @@ public function getPassword();
 	public function getLastCheck();
 
 	/**
-	 * Get the timestamp of the last password check
+	 * Set the timestamp of the last password check
 	 *
 	 * @param int $time
 	 */
 	public function setLastCheck($time);
+
+	/**
+	 * Get the authentication scope for this token
+	 *
+	 * @return string
+	 */
+	public function getScope();
+
+	/**
+	 * Get the authentication scope for this token
+	 *
+	 * @return array
+	 */
+	public function getScopeAsArray();
+
+	/**
+	 * Set the authentication scope for this token
+	 *
+	 * @param array $scope
+	 */
+	public function setScope($scope);
 }

lib/private/Files/Filesystem.php

@@ -62,6 +62,7 @@
 use OC\Files\Config\MountProviderCollection;
 use OC\Files\Mount\MountPoint;
 use OC\Files\Storage\StorageFactory;
+use OC\Lockdown\Filesystem\NullStorage;
 use OCP\Files\Config\IMountProvider;
 use OCP\Files\Mount\IMountPoint;
 use OCP\Files\NotFoundException;
@@ -216,7 +217,7 @@ class Filesystem {
 	 * @internal
 	 */
 	public static function logWarningWhenAddingStorageWrapper($shouldLog) {
-		self::$logWarningWhenAddingStorageWrapper = (bool) $shouldLog;
+		self::$logWarningWhenAddingStorageWrapper = (bool)$shouldLog;
 	}
 
 	/**
@@ -426,25 +427,36 @@ public static function initMountPoints($user = '') {
 			self::$usersSetup[$user] = true;
 		}
 
-		/** @var \OC\Files\Config\MountProviderCollection $mountConfigManager */
-		$mountConfigManager = \OC::$server->getMountProviderCollection();
+		if (\OC::$server->getLockdownManager()->canAccessFilesystem()) {
+			/** @var \OC\Files\Config\MountProviderCollection $mountConfigManager */
+			$mountConfigManager = \OC::$server->getMountProviderCollection();
 
-		// home mounts are handled seperate since we need to ensure this is mounted before we call the other mount providers
-		$homeMount = $mountConfigManager->getHomeMountForUser($userObject);
+			// home mounts are handled seperate since we need to ensure this is mounted before we call the other mount providers
+			$homeMount = $mountConfigManager->getHomeMountForUser($userObject);
 
-		self::getMountManager()->addMount($homeMount);
+			self::getMountManager()->addMount($homeMount);
 
-		\OC\Files\Filesystem::getStorage($user);
+			\OC\Files\Filesystem::getStorage($user);
 
-		// Chance to mount for other storages
-		if ($userObject) {
-			$mounts = $mountConfigManager->getMountsForUser($userObject);
-			array_walk($mounts, array(self::$mounts, 'addMount'));
-			$mounts[] = $homeMount;
-			$mountConfigManager->registerMounts($userObject, $mounts);
-		}
+			// Chance to mount for other storages
+			if ($userObject) {
+				$mounts = $mountConfigManager->getMountsForUser($userObject);
+				array_walk($mounts, array(self::$mounts, 'addMount'));
+				$mounts[] = $homeMount;
+				$mountConfigManager->registerMounts($userObject, $mounts);
+			}
 
-		self::listenForNewMountProviders($mountConfigManager, $userManager);
+			self::listenForNewMountProviders($mountConfigManager, $userManager);
+		} else {
+			self::$mounts->addMount(new MountPoint(
+				new NullStorage([]),
+				'/' . $user
+			));
+			self::$mounts->addMount(new MountPoint(
+				new NullStorage([]),
+				'/' . $user . '/files'
+			));
+		}
 		\OC_Hook::emit('OC_Filesystem', 'post_initMountPoints', array('user' => $user));
 	}