[Feature] add new config to enforce public link password (#7547)

* add new config to enforce public link password

* add api test

changelog/unreleased/readable-share-enforce-password.md

@@ -0,0 +1,6 @@
+Enhancement: Add config to enforce passwords on readable links
+
+We added the config `OCIS_SHARING_PUBLIC_READABLE_SHARE_MUST_HAVE_PASSWORD` to enforce passwords on "Viewer" public shares.
+
+https://github.com/owncloud/ocis/pull/7547
+https://github.com/owncloud/ocis/issues/7539

services/frontend/pkg/config/config.go

@@ -138,6 +138,7 @@ type OCS struct {
 	CacheWarmupDriver                    string             `yaml:"cache_warmup_driver,omitempty"`  // not supported by the oCIS product, therefore not part of docs
 	CacheWarmupDrivers                   CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the oCIS product, therefore not part of docs
 	EnableDenials                        bool               `yaml:"enable_denials" env:"FRONTEND_OCS_ENABLE_DENIALS" desc:"EXPERIMENTAL: enable the feature to deny access on folders."`
+	PublicShareMustHavePassword          bool               `yaml:"public_sharing_share_must_have_password" env:"OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on all public shares."`
 	WriteablePublicShareMustHavePassword bool               `yaml:"public_sharing_writeableshare_must_have_password" env:"OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" desc:"Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares."`
 }
 

services/frontend/pkg/config/parser/parse.go

@@ -51,5 +51,10 @@ func Validate(cfg *config.Config) error {
 		cfg.GRPCClientTLS = structs.CopyOrZeroValue(cfg.Commons.GRPCClientTLS)
 	}
 
+	// Set password enforcement on all public links when config is set
+	if cfg.OCS.PublicShareMustHavePassword {
+		cfg.OCS.WriteablePublicShareMustHavePassword = true
+	}
+
 	return nil
 }

services/frontend/pkg/revaconfig/config.go

@@ -249,7 +249,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 									"password": map[string]interface{}{
 										"enforced": false,
 										"enforced_for": map[string]interface{}{
-											"read_only":         false,
+											"read_only":         cfg.OCS.PublicShareMustHavePassword,
 											"read_write":        cfg.OCS.WriteablePublicShareMustHavePassword,
 											"read_write_delete": cfg.OCS.WriteablePublicShareMustHavePassword,
 											"upload_only":       cfg.OCS.WriteablePublicShareMustHavePassword,

tests/acceptance/features/apiGraph/enforcePasswordPublicLink.feature

@@ -40,6 +40,44 @@ Feature: enforce password on public link
       | 2               | 400       |
 
 
+  Scenario Outline: create a public link with view permission without a password
+    Given the config "OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD" has been set to "true"
+    And user "Alice" has been created with default attributes and without skeleton files
+    And user "Alice" has uploaded file with content "test file" to "/testfile.txt"
+    And using OCS API version "<ocs-api-version>"
+    When user "Alice" creates a public link share using the sharing API with settings
+      | path        | /testfile.txt |
+      | permissions | 1             |
+    Then the HTTP status code should be "<http-code>"
+    And the OCS status code should be "400"
+    And the OCS status message should be "missing required password"
+    Examples:
+      | ocs-api-version | http-code |
+      | 1               | 200       |
+      | 2               | 400       |
+
+
+  Scenario Outline: updates a public link to edit permission without a password
+    Given the config "OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD" has been set to "true"
+    And user "Alice" has been created with default attributes and without skeleton files
+    And user "Alice" has uploaded file with content "test file" to "/testfile.txt"
+    And using OCS API version "<ocs-api-version>"
+    And user "Alice" has created a public link share with settings
+      | path        | /testfile.txt |
+      | permissions | 1             |
+      | password    | test12GD!sdf  |
+    When user "Alice" updates the last public link share using the sharing API with
+      | permissions | 3 |
+      | password    |   |
+    Then the HTTP status code should be "<http-code>"
+    And the OCS status code should be "400"
+    And the OCS status message should be "missing required password"
+    Examples:
+      | ocs-api-version | http-code |
+      | 1               | 200       |
+      | 2               | 400       |
+
+
   Scenario Outline: updates a public link to edit permission with a password
     Given the config "OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD" has been set to "true"
     And user "Alice" has been created with default attributes and without skeleton files
@@ -249,7 +287,7 @@ Feature: enforce password on public link
     And using OCS API version "2"
     And user "Alice" has been created with default attributes and without skeleton files
     And user "Alice" has uploaded file with content "test file" to "/testfile.txt"
-    And user "Alice" has created a public link share with settings 
+    And user "Alice" has created a public link share with settings
       | path        | /testfile.txt |
       | permissions | 1             |
     When user "Alice" updates the last public link share using the sharing API with