diff --git a/changelog/unreleased/readable-share-enforce-password.md b/changelog/unreleased/readable-share-enforce-password.md new file mode 100644 index 00000000000..3ca7a6ce350 --- /dev/null +++ b/changelog/unreleased/readable-share-enforce-password.md @@ -0,0 +1,6 @@ +Enhancement: Add config to enforce passwords on readable links + +We added the config `OCIS_SHARING_PUBLIC_READABLE_SHARE_MUST_HAVE_PASSWORD` to enforce passwords on "Viewer" public shares. + +https://github.com/owncloud/ocis/pull/7547 +https://github.com/owncloud/ocis/issues/7539 diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 23b9d1699e5..535d87a582c 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -138,6 +138,7 @@ type OCS struct { CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the oCIS product, therefore not part of docs CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the oCIS product, therefore not part of docs EnableDenials bool `yaml:"enable_denials" env:"FRONTEND_OCS_ENABLE_DENIALS" desc:"EXPERIMENTAL: enable the feature to deny access on folders."` + PublicShareMustHavePassword bool `yaml:"public_sharing_share_must_have_password" env:"OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on all public shares."` WriteablePublicShareMustHavePassword bool `yaml:"public_sharing_writeableshare_must_have_password" env:"OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares."` } diff --git a/services/frontend/pkg/config/parser/parse.go b/services/frontend/pkg/config/parser/parse.go index 3045136e3b7..66e6b87b796 100644 --- a/services/frontend/pkg/config/parser/parse.go +++ b/services/frontend/pkg/config/parser/parse.go @@ -51,5 +51,10 @@ func Validate(cfg *config.Config) error { cfg.GRPCClientTLS = structs.CopyOrZeroValue(cfg.Commons.GRPCClientTLS) } + // Set password enforcement on all public links when config is set + if cfg.OCS.PublicShareMustHavePassword { + cfg.OCS.WriteablePublicShareMustHavePassword = true + } + return nil } diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index b5d3d3982c6..fd8d3861cd9 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -249,7 +249,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string "password": map[string]interface{}{ "enforced": false, "enforced_for": map[string]interface{}{ - "read_only": false, + "read_only": cfg.OCS.PublicShareMustHavePassword, "read_write": cfg.OCS.WriteablePublicShareMustHavePassword, "read_write_delete": cfg.OCS.WriteablePublicShareMustHavePassword, "upload_only": cfg.OCS.WriteablePublicShareMustHavePassword, diff --git a/tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature b/tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature index 447dc360d33..82de5368161 100644 --- a/tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature +++ b/tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature @@ -40,6 +40,44 @@ Feature: enforce password on public link | 2 | 400 | + Scenario Outline: create a public link with view permission without a password + Given the config "OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD" has been set to "true" + And user "Alice" has been created with default attributes and without skeleton files + And user "Alice" has uploaded file with content "test file" to "/testfile.txt" + And using OCS API version "" + When user "Alice" creates a public link share using the sharing API with settings + | path | /testfile.txt | + | permissions | 1 | + Then the HTTP status code should be "" + And the OCS status code should be "400" + And the OCS status message should be "missing required password" + Examples: + | ocs-api-version | http-code | + | 1 | 200 | + | 2 | 400 | + + + Scenario Outline: updates a public link to edit permission without a password + Given the config "OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD" has been set to "true" + And user "Alice" has been created with default attributes and without skeleton files + And user "Alice" has uploaded file with content "test file" to "/testfile.txt" + And using OCS API version "" + And user "Alice" has created a public link share with settings + | path | /testfile.txt | + | permissions | 1 | + | password | test12GD!sdf | + When user "Alice" updates the last public link share using the sharing API with + | permissions | 3 | + | password | | + Then the HTTP status code should be "" + And the OCS status code should be "400" + And the OCS status message should be "missing required password" + Examples: + | ocs-api-version | http-code | + | 1 | 200 | + | 2 | 400 | + + Scenario Outline: updates a public link to edit permission with a password Given the config "OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" has been set to "true" And user "Alice" has been created with default attributes and without skeleton files @@ -249,7 +287,7 @@ Feature: enforce password on public link And using OCS API version "2" And user "Alice" has been created with default attributes and without skeleton files And user "Alice" has uploaded file with content "test file" to "/testfile.txt" - And user "Alice" has created a public link share with settings + And user "Alice" has created a public link share with settings | path | /testfile.txt | | permissions | 1 | When user "Alice" updates the last public link share using the sharing API with