mirror of
https://github.com/nextcloud/server.git
synced 2026-04-04 16:45:22 -04:00
feat(Security): Warn about using annotations instead of attributes
Signed-off-by: provokateurin <kate@provokateurin.de>
This commit is contained in:
provokateurin
parent
1de5adf867
commit
e5dcdfb9e0
6 changed files with 31 additions and 14 deletions
|
|
@ -207,7 +207,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
$c->get(IRequest::class),
|
||||
$c->get(IControllerMethodReflector::class),
|
||||
$c->get(IUserSession::class),
|
||||
$c->get(IThrottler::class)
|
||||
$c->get(IThrottler::class),
|
||||
$c->get(LoggerInterface::class)
|
||||
)
|
||||
);
|
||||
$dispatcher->registerMiddleware(
|
||||
|
|
@ -251,6 +252,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
$c->get(IUserSession::class),
|
||||
$c->get(ITimeFactory::class),
|
||||
$c->get(\OC\Authentication\Token\IProvider::class),
|
||||
$c->get(LoggerInterface::class),
|
||||
)
|
||||
);
|
||||
$dispatcher->registerMiddleware(
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ use OCP\AppFramework\Middleware;
|
|||
use OCP\IRequest;
|
||||
use OCP\ISession;
|
||||
use OCP\Security\Bruteforce\IThrottler;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use ReflectionMethod;
|
||||
|
||||
/**
|
||||
|
|
@ -42,7 +43,9 @@ class CORSMiddleware extends Middleware {
|
|||
public function __construct(IRequest $request,
|
||||
ControllerMethodReflector $reflector,
|
||||
Session $session,
|
||||
IThrottler $throttler) {
|
||||
IThrottler $throttler,
|
||||
private readonly LoggerInterface $logger,
|
||||
) {
|
||||
$this->request = $request;
|
||||
$this->reflector = $reflector;
|
||||
$this->session = $session;
|
||||
|
|
@ -103,6 +106,7 @@ class CORSMiddleware extends Middleware {
|
|||
|
||||
|
||||
if (!empty($reflectionMethod->getAttributes($attributeClass))) {
|
||||
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ use OCP\ISession;
|
|||
use OCP\IUserSession;
|
||||
use OCP\Session\Exceptions\SessionNotAvailableException;
|
||||
use OCP\User\Backend\IPasswordConfirmationBackend;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use ReflectionMethod;
|
||||
|
||||
class PasswordConfirmationMiddleware extends Middleware {
|
||||
|
|
@ -48,6 +49,7 @@ class PasswordConfirmationMiddleware extends Middleware {
|
|||
IUserSession $userSession,
|
||||
ITimeFactory $timeFactory,
|
||||
IProvider $tokenProvider,
|
||||
private readonly LoggerInterface $logger,
|
||||
) {
|
||||
$this->reflector = $reflector;
|
||||
$this->session = $session;
|
||||
|
|
@ -113,6 +115,7 @@ class PasswordConfirmationMiddleware extends Middleware {
|
|||
}
|
||||
|
||||
if ($this->reflector->hasAnnotation($annotationName)) {
|
||||
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -243,6 +243,7 @@ class SecurityMiddleware extends Middleware {
|
|||
}
|
||||
|
||||
if ($this->reflector->hasAnnotation($annotationName)) {
|
||||
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ use OCP\IRequest;
|
|||
use OCP\IRequestId;
|
||||
use OCP\Security\Bruteforce\IThrottler;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use Test\AppFramework\Middleware\Security\Mock\CORSMiddlewareController;
|
||||
|
||||
class CORSMiddlewareTest extends \Test\TestCase {
|
||||
|
|
@ -29,12 +30,14 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
private $throttler;
|
||||
/** @var CORSMiddlewareController */
|
||||
private $controller;
|
||||
private LoggerInterface $logger;
|
||||
|
||||
protected function setUp(): void {
|
||||
parent::setUp();
|
||||
$this->reflector = new ControllerMethodReflector();
|
||||
$this->session = $this->createMock(Session::class);
|
||||
$this->throttler = $this->createMock(IThrottler::class);
|
||||
$this->logger = $this->createMock(LoggerInterface::class);
|
||||
$this->controller = new CORSMiddlewareController(
|
||||
'test',
|
||||
$this->createMock(IRequest::class)
|
||||
|
|
@ -62,7 +65,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$response = $middleware->afterController($this->controller, $method, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
|
|
@ -79,7 +82,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IRequestId::class),
|
||||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
|
|
@ -103,7 +106,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$response = $middleware->afterController($this->controller, $method, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
|
|
@ -133,7 +136,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$response = new Response();
|
||||
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
||||
|
|
@ -159,7 +162,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
$this->session->expects($this->once())
|
||||
->method('isLoggedIn')
|
||||
->willReturn(false);
|
||||
|
|
@ -193,7 +196,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
$this->session->expects($this->once())
|
||||
->method('isLoggedIn')
|
||||
->willReturn(true);
|
||||
|
|
@ -234,7 +237,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
->with($this->equalTo('user'), $this->equalTo('pass'))
|
||||
->willReturn(true);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$middleware->beforeController($this->controller, $method);
|
||||
}
|
||||
|
|
@ -267,7 +270,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
->with($this->equalTo('user'), $this->equalTo('pass'))
|
||||
->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$middleware->beforeController($this->controller, $method);
|
||||
}
|
||||
|
|
@ -300,7 +303,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
->with($this->equalTo('user'), $this->equalTo('pass'))
|
||||
->willReturn(false);
|
||||
$this->reflector->reflect($this->controller, $method);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
|
||||
$middleware->beforeController($this->controller, $method);
|
||||
}
|
||||
|
|
@ -314,7 +317,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IRequestId::class),
|
||||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception'));
|
||||
|
||||
$expected = new JSONResponse(['message' => 'A security exception'], 500);
|
||||
|
|
@ -330,7 +333,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IRequestId::class),
|
||||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception', 501));
|
||||
|
||||
$expected = new JSONResponse(['message' => 'A security exception'], 501);
|
||||
|
|
@ -349,7 +352,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
|
|||
$this->createMock(IRequestId::class),
|
||||
$this->createMock(IConfig::class)
|
||||
);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
|
||||
$middleware->afterException($this->controller, __FUNCTION__, new \Exception('A regular exception'));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ use OCP\IRequest;
|
|||
use OCP\ISession;
|
||||
use OCP\IUser;
|
||||
use OCP\IUserSession;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use Test\AppFramework\Middleware\Security\Mock\PasswordConfirmationMiddlewareController;
|
||||
use Test\TestCase;
|
||||
|
||||
|
|
@ -35,6 +36,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
|
|||
/** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
|
||||
private $timeFactory;
|
||||
private IProvider|\PHPUnit\Framework\MockObject\MockObject $tokenProvider;
|
||||
private LoggerInterface $logger;
|
||||
|
||||
protected function setUp(): void {
|
||||
$this->reflector = new ControllerMethodReflector();
|
||||
|
|
@ -43,6 +45,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
|
|||
$this->user = $this->createMock(IUser::class);
|
||||
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||
$this->tokenProvider = $this->createMock(IProvider::class);
|
||||
$this->logger = $this->createMock(LoggerInterface::class);
|
||||
$this->controller = new PasswordConfirmationMiddlewareController(
|
||||
'test',
|
||||
$this->createMock(IRequest::class)
|
||||
|
|
@ -54,6 +57,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
|
|||
$this->userSession,
|
||||
$this->timeFactory,
|
||||
$this->tokenProvider,
|
||||
$this->logger,
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue