You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
477 lines
20 KiB
477 lines
20 KiB
<?php
|
|
// This file is part of Moodle - http://moodle.org/
|
|
//
|
|
// Moodle is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Moodle is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
/**
|
|
* Manages the creation and usage of access controlled links.
|
|
*
|
|
* @package repository_nextcloud
|
|
* @copyright 2017 Nina Herrmann (Learnweb, University of Münster)
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
namespace repository_nextcloud;
|
|
|
|
use context;
|
|
use \core\oauth2\api;
|
|
use \core\notification;
|
|
use repository_exception;
|
|
|
|
defined('MOODLE_INTERNAL') || die();
|
|
require_once($CFG->libdir . '/webdavlib.php');
|
|
|
|
/**
|
|
* Manages the creation and usage of access controlled links.
|
|
*
|
|
* @package repository_nextcloud
|
|
* @copyright 2017 Nina Herrmann (Learnweb, University of Münster)
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
class access_controlled_link_manager{
|
|
/**
|
|
* OCS client that uses the Open Collaboration Services REST API.
|
|
* @var ocs_client
|
|
*/
|
|
protected $ocsclient;
|
|
/**
|
|
* ocsclient of the systemaccount.
|
|
* @var ocs_client
|
|
*/
|
|
protected $systemocsclient;
|
|
/**
|
|
* Client to manage oauth2 features from the systemaccount.
|
|
* @var \core\oauth2\client
|
|
*/
|
|
protected $systemoauthclient;
|
|
/**
|
|
* Client to manage webdav request from the systemaccount..
|
|
* @var \webdav_client
|
|
*/
|
|
protected $systemwebdavclient;
|
|
/**
|
|
* Issuer from the oauthclient.
|
|
* @var \core\oauth2\issuer
|
|
*/
|
|
protected $issuer;
|
|
/**
|
|
* Name of the related repository.
|
|
* @var string
|
|
*/
|
|
protected $repositoryname;
|
|
|
|
/**
|
|
* Access_controlled_link_manager constructor.
|
|
* @param ocs_client $ocsclient
|
|
* @param \core\oauth2\client $systemoauthclient
|
|
* @param ocs_client $systemocsclient
|
|
* @param \core\oauth2\issuer $issuer
|
|
* @param string $repositoryname
|
|
* @throws configuration_exception
|
|
*/
|
|
public function __construct($ocsclient, $systemoauthclient, $systemocsclient, $issuer, $repositoryname) {
|
|
$this->ocsclient = $ocsclient;
|
|
$this->systemoauthclient = $systemoauthclient;
|
|
$this->systemocsclient = $systemocsclient;
|
|
|
|
$this->repositoryname = $repositoryname;
|
|
$this->issuer = $issuer;
|
|
$this->systemwebdavclient = $this->create_system_dav();
|
|
}
|
|
|
|
/**
|
|
* Deletes the share of the systemaccount and a user. In case the share could not be deleted a notification is
|
|
* displayed.
|
|
* @param int $shareid Remote ID of the share to be deleted.
|
|
*/
|
|
public function delete_share_dataowner_sysaccount($shareid) {
|
|
$shareid = (int) $shareid;
|
|
$deleteshareparams = [
|
|
'share_id' => $shareid
|
|
];
|
|
$deleteshareresponse = $this->ocsclient->call('delete_share', $deleteshareparams);
|
|
$xml = simplexml_load_string($deleteshareresponse);
|
|
|
|
if (empty($xml->meta->statuscode) || $xml->meta->statuscode != 100 ) {
|
|
notification::warning('You just shared a file with a access controlled link.
|
|
However, the share between you and the systemaccount could not be deleted and is still present in your instance.');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Creates a share between a user and the system account. If $username is set the sharing direction is system account -> user,
|
|
* otherwise user -> system account.
|
|
* @param string $path Remote path of the file that will be shared
|
|
* @param string $username optional when set the file is shared with the corresponding user otherwise with
|
|
* the systemaccount.
|
|
* @param bool $maywrite if false, only(!) read access is granted.
|
|
* @return array statuscode, shareid, and filetarget
|
|
* @throws request_exception
|
|
*/
|
|
public function create_share_user_sysaccount($path, $username = null, $maywrite = false) {
|
|
$result = array();
|
|
|
|
if ($username != null) {
|
|
$shareusername = $username;
|
|
} else {
|
|
$systemaccount = \core\oauth2\api::get_system_account($this->issuer);
|
|
$shareusername = $systemaccount->get('username');
|
|
}
|
|
$permissions = ocs_client::SHARE_PERMISSION_READ;
|
|
if ($maywrite) {
|
|
// Add more privileges (write, reshare) if allowed for the given user.
|
|
$permissions |= ocs_client::SHARE_PERMISSION_ALL;
|
|
}
|
|
$createshareparams = [
|
|
'path' => $path,
|
|
'shareType' => ocs_client::SHARE_TYPE_USER,
|
|
'publicUpload' => false,
|
|
'shareWith' => $shareusername,
|
|
'permissions' => $permissions,
|
|
];
|
|
|
|
// File is now shared with the system account.
|
|
if ($username === null) {
|
|
$createshareresponse = $this->ocsclient->call('create_share', $createshareparams);
|
|
} else {
|
|
$createshareresponse = $this->systemocsclient->call('create_share', $createshareparams);
|
|
}
|
|
$xml = simplexml_load_string($createshareresponse);
|
|
|
|
$statuscode = (int)$xml->meta->statuscode;
|
|
if ($statuscode != 100 && $statuscode != 403) {
|
|
$details = get_string('filenotaccessed', 'repository_nextcloud');
|
|
throw new request_exception(get_string('request_exception',
|
|
'repository_nextcloud', array('instance' => $this->repositoryname, 'errormessage' => $details)));
|
|
}
|
|
$result['shareid'] = (int)$xml->data->id;
|
|
$result['statuscode'] = $statuscode;
|
|
$result['filetarget'] = (string)$xml->data[0]->file_target;
|
|
|
|
return $result;
|
|
}
|
|
|
|
/** Copy or moves a file to a new path.
|
|
* @param string $srcpath source path
|
|
* @param string $dstpath
|
|
* @param string $operation move or copy
|
|
* @param \webdav_client $webdavclient needed when moving files.
|
|
* @return String Http-status of the request
|
|
* @throws configuration_exception
|
|
* @throws \coding_exception
|
|
* @throws \moodle_exception
|
|
* @throws \repository_nextcloud\request_exception
|
|
*/
|
|
public function transfer_file_to_path($srcpath, $dstpath, $operation, $webdavclient = null) {
|
|
$this->systemwebdavclient->open();
|
|
$webdavendpoint = issuer_management::parse_endpoint_url('webdav', $this->issuer);
|
|
|
|
$srcpath = ltrim($srcpath, '/');
|
|
$sourcepath = $webdavendpoint['path'] . $srcpath;
|
|
$dstpath = ltrim($dstpath, '/');
|
|
$destinationpath = $webdavendpoint['path'] . $dstpath . '/' . $srcpath;
|
|
|
|
if ($operation === 'copy') {
|
|
$result = $this->systemwebdavclient->copy_file($sourcepath, $destinationpath, true);
|
|
} else if ($operation === 'move') {
|
|
$result = $webdavclient->move($sourcepath, $destinationpath, false);
|
|
if ($result == 412) {
|
|
// A file with that name already exists at that target. Find a unique location!
|
|
$increment = 0; // Will be appended to/inserted into the filename.
|
|
// Define the pattern that is used to insert the increment to the filename.
|
|
if (substr_count($srcpath, '.') === 0) {
|
|
// No file extension; append increment to the (sprintf-escaped) name.
|
|
$namepattern = str_replace('%', '%%', $destinationpath) . ' (%s)';
|
|
} else {
|
|
// Append the increment to the second-to-last component, which is presumably the one before the extension.
|
|
// Again, the original path is sprintf-escaped.
|
|
$components = explode('.', str_replace('%', '%%', $destinationpath));
|
|
$components[count($components) - 2] .= ' (%s)';
|
|
$namepattern = implode('.', $components);
|
|
}
|
|
}
|
|
while ($result == 412) {
|
|
$increment++;
|
|
$destinationpath = sprintf($namepattern, $increment);
|
|
$result = $webdavclient->move($sourcepath, $destinationpath, false);
|
|
}
|
|
}
|
|
$this->systemwebdavclient->close();
|
|
if (!($result == 201 || $result == 412)) {
|
|
$details = get_string('contactadminwith', 'repository_nextcloud',
|
|
'A webdav request to ' . $operation . ' a file failed.');
|
|
throw new request_exception(array('instance' => $this->repositoryname, 'errormessage' => $details));
|
|
}
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Creates a unique folder path for the access controlled link.
|
|
* @param context $context
|
|
* @param string $component
|
|
* @param string $filearea
|
|
* @param string $itemid
|
|
* @return string $result full generated path.
|
|
* @throws request_exception If the folder path cannot be created.
|
|
*/
|
|
public function create_folder_path_access_controlled_links($context, $component, $filearea, $itemid) {
|
|
global $CFG, $SITE;
|
|
// The fullpath to store the file is generated from the context.
|
|
$contextlist = array_reverse($context->get_parent_contexts(true));
|
|
$fullpath = '';
|
|
$allfolders = [];
|
|
foreach ($contextlist as $ctx) {
|
|
// Prepare human readable context folders names, making sure they are still unique within the site.
|
|
$prevlang = force_current_language($CFG->lang);
|
|
$foldername = $ctx->get_context_name();
|
|
force_current_language($prevlang);
|
|
|
|
if ($ctx->contextlevel === CONTEXT_SYSTEM) {
|
|
// Append the site short name to the root folder.
|
|
$foldername .= ' ('.$SITE->shortname.')';
|
|
// Append the relevant object id.
|
|
} else if ($ctx->instanceid) {
|
|
$foldername .= ' (id '.$ctx->instanceid.')';
|
|
} else {
|
|
// This does not really happen but just in case.
|
|
$foldername .= ' (ctx '.$ctx->id.')';
|
|
}
|
|
|
|
$foldername = clean_param($foldername, PARAM_FILE);
|
|
$allfolders[] = $foldername;
|
|
}
|
|
|
|
$allfolders[] = clean_param($component, PARAM_FILE);
|
|
$allfolders[] = clean_param($filearea, PARAM_FILE);
|
|
$allfolders[] = clean_param($itemid, PARAM_FILE);
|
|
|
|
// Extracts the end of the webdavendpoint.
|
|
$parsedwebdavurl = issuer_management::parse_endpoint_url('webdav', $this->issuer);
|
|
$webdavprefix = $parsedwebdavurl['path'];
|
|
$this->systemwebdavclient->open();
|
|
// Checks whether folder exist and creates non-existent folders.
|
|
foreach ($allfolders as $foldername) {
|
|
$fullpath .= '/' . $foldername;
|
|
$isdir = $this->systemwebdavclient->is_dir($webdavprefix . $fullpath);
|
|
// Folder already exist, continue.
|
|
if ($isdir === true) {
|
|
continue;
|
|
}
|
|
$response = $this->systemwebdavclient->mkcol($webdavprefix . $fullpath);
|
|
|
|
if ($response != 201) {
|
|
$this->systemwebdavclient->close();
|
|
$details = get_string('contactadminwith', 'repository_nextcloud',
|
|
get_string('pathnotcreated', 'repository_nextcloud', $fullpath));
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => $details));
|
|
}
|
|
}
|
|
$this->systemwebdavclient->close();
|
|
return $fullpath;
|
|
}
|
|
|
|
/** Creates a new webdav_client for the system account.
|
|
* @return \webdav_client
|
|
* @throws configuration_exception
|
|
*/
|
|
public function create_system_dav() {
|
|
$webdavendpoint = issuer_management::parse_endpoint_url('webdav', $this->issuer);
|
|
|
|
// Selects the necessary information (port, type, server) from the path to build the webdavclient.
|
|
$server = $webdavendpoint['host'];
|
|
if ($webdavendpoint['scheme'] === 'https') {
|
|
$webdavtype = 'ssl://';
|
|
$webdavport = 443;
|
|
} else if ($webdavendpoint['scheme'] === 'http') {
|
|
$webdavtype = '';
|
|
$webdavport = 80;
|
|
}
|
|
|
|
// Override default port, if a specific one is set.
|
|
if (isset($webdavendpoint['port'])) {
|
|
$webdavport = $webdavendpoint['port'];
|
|
}
|
|
|
|
// Authentication method is `bearer` for OAuth 2. Pass oauth client from which WebDAV obtains the token when needed.
|
|
$dav = new \webdav_client($server, '', '', 'bearer', $webdavtype,
|
|
$this->systemoauthclient->get_accesstoken()->token, $webdavendpoint['path']);
|
|
|
|
$dav->port = $webdavport;
|
|
$dav->debug = false;
|
|
return $dav;
|
|
}
|
|
|
|
/** Creates a folder to store access controlled links.
|
|
* @param string $controlledlinkfoldername
|
|
* @param \webdav_client $webdavclient
|
|
* @throws \coding_exception
|
|
* @throws configuration_exception
|
|
* @throws request_exception
|
|
*/
|
|
public function create_storage_folder($controlledlinkfoldername, $webdavclient) {
|
|
$parsedwebdavurl = issuer_management::parse_endpoint_url('webdav', $this->issuer);
|
|
$webdavprefix = $parsedwebdavurl['path'];
|
|
// Checks whether folder exist and creates non-existent folders.
|
|
$webdavclient->open();
|
|
$isdir = $webdavclient->is_dir($webdavprefix . $controlledlinkfoldername);
|
|
// Folder already exist, continue.
|
|
if (!$isdir) {
|
|
$responsecreateshare = $webdavclient->mkcol($webdavprefix . $controlledlinkfoldername);
|
|
|
|
if ($responsecreateshare != 201) {
|
|
$webdavclient->close();
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => get_string('contactadminwith', 'repository_nextcloud',
|
|
'The folder to store files in the user account could not be created.')));
|
|
}
|
|
}
|
|
$webdavclient->close();
|
|
}
|
|
|
|
/** Gets all shares from a path (the path is file specific) and extracts the share of a specific user. In case
|
|
* multiple shares exist the first one is taken. Multiple shares can only appear when shares are created outside
|
|
* of this plugin, therefore this case is not handled.
|
|
* @param string $path
|
|
* @param string $username
|
|
* @return \SimpleXMLElement
|
|
* @throws \moodle_exception
|
|
*/
|
|
public function get_shares_from_path($path, $username) {
|
|
$ocsparams = [
|
|
'path' => $path,
|
|
'reshares' => true
|
|
];
|
|
|
|
$getsharesresponse = $this->systemocsclient->call('get_shares', $ocsparams);
|
|
$xml = simplexml_load_string($getsharesresponse);
|
|
$validelement = array();
|
|
foreach ($fileid = $xml->data->element as $element) {
|
|
if ($element->share_with == $username) {
|
|
$validelement = $element;
|
|
break;
|
|
}
|
|
}
|
|
if (empty($validelement)) {
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => get_string('filenotaccessed', 'repository_nextcloud')));
|
|
|
|
}
|
|
return $validelement->id;
|
|
}
|
|
|
|
/** This method can only be used if the response is from a newly created share. In this case there is more information
|
|
* in the response. For a reference refer to
|
|
* https://docs.nextcloud.com/server/13/developer_manual/core/ocs-share-api.html#get-information-about-a-known-share.
|
|
* @param int $shareid
|
|
* @param string $username
|
|
* @return mixed the id of the share
|
|
* @throws \coding_exception
|
|
* @throws \repository_nextcloud\request_exception
|
|
*/
|
|
public function get_share_information_from_shareid($shareid, $username) {
|
|
$ocsparams = [
|
|
'share_id' => (int) $shareid
|
|
];
|
|
|
|
$shareinformation = $this->ocsclient->call('get_information_of_share', $ocsparams);
|
|
$xml = simplexml_load_string($shareinformation);
|
|
foreach ($fileid = $xml->data->element as $element) {
|
|
if ($element->share_with == $username) {
|
|
$validelement = $element;
|
|
break;
|
|
}
|
|
}
|
|
if (empty($validelement)) {
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => get_string('filenotaccessed', 'repository_nextcloud')));
|
|
|
|
}
|
|
return (string) $validelement->file_target;
|
|
}
|
|
|
|
/**
|
|
* Find a file that has previously been shared with the system account.
|
|
* @param string $path Path to file in user context.
|
|
* @return array shareid: ID of share, filetarget: path to file in sys account.
|
|
* @throws request_exception If the share cannot be resolved.
|
|
*/
|
|
public function find_share_in_sysaccount($path) {
|
|
$systemaccount = \core\oauth2\api::get_system_account($this->issuer);
|
|
$systemaccountuser = $systemaccount->get('username');
|
|
|
|
// Find out share ID from user files.
|
|
$ocsparams = [
|
|
'path' => $path,
|
|
'reshares' => true
|
|
];
|
|
|
|
$getsharesresponse = $this->ocsclient->call('get_shares', $ocsparams);
|
|
$xml = simplexml_load_string($getsharesresponse);
|
|
$validelement = array();
|
|
foreach ($fileid = $xml->data->element as $element) {
|
|
if ($element->share_with == $systemaccountuser) {
|
|
$validelement = $element;
|
|
break;
|
|
}
|
|
}
|
|
if (empty($validelement)) {
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => get_string('filenotaccessed', 'repository_nextcloud')));
|
|
}
|
|
$shareid = (int) $validelement->id;
|
|
|
|
// Use share id to find file name in system account's context.
|
|
$ocsparams = [
|
|
'share_id' => $shareid
|
|
];
|
|
|
|
$shareinformation = $this->systemocsclient->call('get_information_of_share', $ocsparams);
|
|
$xml = simplexml_load_string($shareinformation);
|
|
foreach ($fileid = $xml->data->element as $element) {
|
|
if ($element->share_with == $systemaccountuser) {
|
|
$validfile = $element;
|
|
break;
|
|
}
|
|
}
|
|
if (empty($validfile)) {
|
|
throw new request_exception(array('instance' => $this->repositoryname,
|
|
'errormessage' => get_string('filenotaccessed', 'repository_nextcloud')));
|
|
|
|
}
|
|
return [
|
|
'shareid' => $shareid,
|
|
'filetarget' => (string) $validfile->file_target
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Download a file from the system account for the purpose of offline usage.
|
|
* @param string $srcpath Name of a file owned by the system account
|
|
* @param string $targetpath Temporary filename in Moodle
|
|
* @throws repository_exception The download was unsuccessful, maybe the file does not exist.
|
|
*/
|
|
public function download_for_offline_usage(string $srcpath, string $targetpath): void {
|
|
$this->systemwebdavclient->open();
|
|
$webdavendpoint = issuer_management::parse_endpoint_url('webdav', $this->issuer);
|
|
$srcpath = ltrim($srcpath, '/');
|
|
$sourcepath = $webdavendpoint['path'] . $srcpath;
|
|
|
|
// Write file into temp location.
|
|
if (!$this->systemwebdavclient->get_file($sourcepath, $targetpath)) {
|
|
$this->systemwebdavclient->close();
|
|
throw new repository_exception('cannotdownload', 'repository');
|
|
}
|
|
$this->systemwebdavclient->close();
|
|
}
|
|
}
|
|
|