fix(encryption): do not setup filesystem without permissions

If the current request does not have permissions for the filesystem we must not try to setup the filesystem. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
4 weeks ago · 7cc3c1f669
2 changed files with 47 additions and 0 deletions
--- a/apps/encryption/lib/Listeners/UserEventsListener.php
+++ b/apps/encryption/lib/Listeners/UserEventsListener.php
@ -21,6 +21,7 @@ use OCP\EventDispatcher\IEventListener;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
+use OCP\Lockdown\ILockdownManager;
 use OCP\User\Events\BeforePasswordUpdatedEvent;
 use OCP\User\Events\PasswordUpdatedEvent;
 use OCP\User\Events\UserCreatedEvent;
@ -43,6 +44,7 @@ class UserEventsListener implements IEventListener {
 		private IUserSession $userSession,
 		private SetupManager $setupManager,
 		private PassphraseService $passphraseService,
+		private ILockdownManager $lockdownManager,
 	) {
 	}

@ -70,6 +72,11 @@ class UserEventsListener implements IEventListener {
 	 * Startup encryption backend upon user login
 	 */
 	private function onUserLogin(IUser $user, ?string $password): void {
+		// Do not try to setup filesystem if the current request does not have permissions to access it
+		if (!$this->lockdownManager->canAccessFilesystem()) {
+			return;
+		}
+
 		// ensure filesystem is loaded
 		$this->setupManager->setupForUser($user);
 		if ($this->util->isMasterKeyEnabled() === false) {
--- a/apps/encryption/tests/Listeners/UserEventsListenersTest.php
+++ b/apps/encryption/tests/Listeners/UserEventsListenersTest.php
@ -20,6 +20,7 @@ use OCA\Encryption\Util;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
+use OCP\Lockdown\ILockdownManager;
 use OCP\User\Events\BeforePasswordUpdatedEvent;
 use OCP\User\Events\PasswordUpdatedEvent;
 use OCP\User\Events\UserCreatedEvent;
@ -41,6 +42,7 @@ class UserEventsListenersTest extends TestCase {
 	protected IUserManager&MockObject $userManager;
 	protected IUserSession&MockObject $userSession;
 	protected SetupManager&MockObject $setupManager;
+	protected ILockdownManager&MockObject $lockdownManager;
 	protected PassphraseService&MockObject $passphraseService;

 	protected UserEventsListener $instance;
@ -55,6 +57,7 @@ class UserEventsListenersTest extends TestCase {
 		$this->userManager = $this->createMock(IUserManager::class);
 		$this->userSession = $this->createMock(IUserSession::class);
 		$this->setupManager = $this->createMock(SetupManager::class);
+		$this->lockdownManager = $this->createMock(ILockdownManager::class);
 		$this->passphraseService = $this->createMock(PassphraseService::class);

 		$this->instance = new UserEventsListener(
@ -66,10 +69,14 @@ class UserEventsListenersTest extends TestCase {
 			$this->userSession,
 			$this->setupManager,
 			$this->passphraseService,
+			$this->lockdownManager,
 		);
 	}

 	public function testLogin(): void {
+		$this->lockdownManager->expects(self::once())
+			->method('canAccessFilesystem')
+			->willReturn(true);
 		$this->userSetup->expects(self::once())
 			->method('setupUser')
 			->willReturn(true);
@ -96,6 +103,9 @@ class UserEventsListenersTest extends TestCase {
 	}

 	public function testLoginMasterKey(): void {
+		$this->lockdownManager->expects(self::once())
+			->method('canAccessFilesystem')
+			->willReturn(true);
 		$this->util->method('isMasterKeyEnabled')->willReturn(true);

 		$this->userSetup->expects(self::never())
@ -121,6 +131,36 @@ class UserEventsListenersTest extends TestCase {
 		$this->instance->handle($event);
 	}

+	public function testLoginNoFilesystemAccess(): void {
+		$this->lockdownManager->expects(self::once())
+			->method('canAccessFilesystem')
+			->willReturn(false);
+
+		$this->userSetup->expects(self::never())
+			->method('setupUser');
+
+		$this->setupManager->expects(self::never())
+			->method('setupForUser');
+
+		$this->keyManager->expects(self::never())
+			->method('init');
+
+		$user = $this->createMock(IUser::class);
+		$user->expects(self::any())
+			->method('getUID')
+			->willReturn('testUser');
+
+		$event = $this->createMock(UserLoggedInEvent::class);
+		$event->expects(self::atLeastOnce())
+			->method('getUser')
+			->willReturn($user);
+		$event->expects(self::atLeastOnce())
+			->method('getPassword')
+			->willReturn('password');
+
+		$this->instance->handle($event);
+	}
+
 	public function testLogout(): void {
 		$this->session->expects(self::once())
 			->method('clear');