From 572be6f8471d42bb13deca9496fe1e371a75517c Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 21 Oct 2021 15:26:08 +0200 Subject: [PATCH 1/3] forbid empty password on user creation --- changelog/unreleased/empty-password-user.md | 5 +++++ ocs/pkg/server/http/svc_test.go | 17 ++++++----------- ocs/pkg/service/v0/users.go | 5 +++++ .../expected-failures-API-on-OCIS-storage.md | 3 --- 4 files changed, 16 insertions(+), 14 deletions(-) create mode 100644 changelog/unreleased/empty-password-user.md diff --git a/changelog/unreleased/empty-password-user.md b/changelog/unreleased/empty-password-user.md new file mode 100644 index 000000000..4ffd4ba84 --- /dev/null +++ b/changelog/unreleased/empty-password-user.md @@ -0,0 +1,5 @@ +Bugfix: Don't allow empty password + +It was allowed to create users with empty or spaces-only password. This is fixed + +https://github.com/owncloud/product/issues/197 diff --git a/ocs/pkg/server/http/svc_test.go b/ocs/pkg/server/http/svc_test.go index 28d4f4d1f..418a64c0c 100644 --- a/ocs/pkg/server/http/svc_test.go +++ b/ocs/pkg/server/http/svc_test.go @@ -169,6 +169,8 @@ var formats = []string{"json", "xml"} var dataPath = createTmpDir() +var defaultPassword = "Testing123" + var defaultUsers = []string{ userEinstein, userIDP, @@ -708,6 +710,10 @@ func getService() svc.Service { } func createUser(u User) error { + // add default password if not set differently + if u.Password == "" { + u.Password = defaultPassword + } _, err := sendRequest( "POST", userProvisioningEndPoint, @@ -767,17 +773,6 @@ func TestCreateUser(t *testing.T) { }, nil, }, - // https://github.com/owncloud/ocis-ocs/issues/50 - { - "User without password", - User{ - Enabled: "true", - ID: "john", - Email: "john@example.com", - Displayname: "John Dalton", - }, - nil, - }, // https://github.com/owncloud/ocis-ocs/issues/49 { "User with special character in userid", diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 1445ab1d5..89cf53eb4 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -179,6 +179,11 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) { return } } + if strings.TrimSpace(password) == "" { + mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty password not allowed"))) + o.logger.Error().Err(err).Str("userid", userid).Msg("empty password not allowed") + return + } // fallbacks /* TODO decide if we want to make these fallbacks. Keep in mind: diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md index 9ee64f2f0..ccc62dd94 100644 --- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md @@ -916,9 +916,6 @@ special character username not valid - [apiProvisioning-v2/addUser.feature:40](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L40) - [apiProvisioning-v2/addUser.feature:47](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L47) -#### [Password can be set to empty](https://github.com/owncloud/product/issues/197) -- [apiProvisioning-v2/addUser.feature:83](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L83) - #### [Username is case sensitive](https://github.com/owncloud/ocis-accounts/issues/128) - [apiProvisioning-v2/addUser.feature:116](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L116) From ab2bd28eb72c12f377c4aec927d1d861aff18f31 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 21 Oct 2021 16:02:13 +0200 Subject: [PATCH 2/3] remove forgotten lines --- tests/acceptance/expected-failures-API-on-OCIS-storage.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md index ccc62dd94..170c1793a 100644 --- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md @@ -912,13 +912,6 @@ special character username not valid - [apiTrashbin/trashbinFilesFolders.feature:252](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L252) - [apiTrashbin/trashbinFilesFolders.feature:253](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiTrashbin/trashbinFilesFolders.feature#L253) -#### [Creating an already existing user works](https://github.com/owncloud/ocis-accounts/issues/80) -- [apiProvisioning-v2/addUser.feature:40](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L40) -- [apiProvisioning-v2/addUser.feature:47](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L47) - -#### [Username is case sensitive](https://github.com/owncloud/ocis-accounts/issues/128) -- [apiProvisioning-v2/addUser.feature:116](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v2/addUser.feature#L116) - #### [Client token generation not implemented](https://github.com/owncloud/ocis/issues/197) - [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:39](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L39) - [apiProvisioning-v1/apiProvisioningUsingAppPassword.feature:67](https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiProvisioning-v1/apiProvisioningUsingAppPassword.feature#L67) From f0f0c182ef64212f73edb4a782408b7e9e8c03d0 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Wed, 27 Oct 2021 14:53:10 +0200 Subject: [PATCH 3/3] don't log nil error --- ocs/pkg/service/v0/users.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocs/pkg/service/v0/users.go b/ocs/pkg/service/v0/users.go index 89cf53eb4..55aa18a59 100644 --- a/ocs/pkg/service/v0/users.go +++ b/ocs/pkg/service/v0/users.go @@ -181,7 +181,7 @@ func (o Ocs) AddUser(w http.ResponseWriter, r *http.Request) { } if strings.TrimSpace(password) == "" { mustNotFail(render.Render(w, r, response.ErrRender(data.MetaBadRequest.StatusCode, "empty password not allowed"))) - o.logger.Error().Err(err).Str("userid", userid).Msg("empty password not allowed") + o.logger.Error().Str("userid", userid).Msg("empty password not allowed") return }