Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle accept decline with invalid share id #34622

Merged
merged 7 commits into from
Mar 6, 2019
Merged

Handle accept decline with invalid share id #34622

merged 7 commits into from
Mar 6, 2019

Conversation

phil-davis
Copy link
Contributor

@phil-davis phil-davis commented Feb 26, 2019
edited
Loading

Description

  1. Catch the case when an accept or decline for a non-existent federated share id is received. Return a STATUS_GONE 410 response. Previously this was not caught in RequestHandlerController and ended up becoming a 500 status. That can cause issues for the remote end, which could think that there was an internal server error for the request - the remote end might then throw an exception itself and not cleanup its view of the now non-existent share id.

  2. Catch the case when an accept or decline for a share id has an invalid shared secret provided. Return a STATUS_FORBIDDEN 403 so that the remote end can at least handle/report that, rather than returning a 500 that might cause the remote server grief.

Related Issue

This is on top of PR #34568 and issue #34566

Motivation and Context

How Has This Been Tested?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

Open tasks:

  • Backport (if applicable set "backport-request" label and remove when the backport was done)

@phil-davis phil-davis self-assigned this Feb 26, 2019
@codecov
Copy link

codecov bot commented Feb 26, 2019

Codecov Report

Merging #34622 into master will increase coverage by <.01%.
The diff coverage is 89.21%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #34622      +/-   ##
============================================
+ Coverage     65.23%   65.24%   +<.01%     
- Complexity    18438    18446       +8     
============================================
  Files          1203     1203              
  Lines         69819    69850      +31     
  Branches       1280     1280              
============================================
+ Hits          45548    45572      +24     
- Misses        23899    23906       +7     
  Partials        372      372
Flag Coverage Δ Complexity Δ
#javascript 53.04% <ø> (ø) 0 <ø> (ø) ⬇️
#phpunit 66.64% <89.21%> (ø) 18446 <1> (+8) ⬆️
Impacted Files Coverage Δ Complexity Δ
...e/AppFramework/DependencyInjection/DIContainer.php 73.28% <ø> (ø) 79 <0> (ø) ⬇️
apps/files_sharing/lib/AppInfo/Application.php 50.98% <100%> (ø) 17 <0> (ø) ⬇️
...haring/lib/Controller/RequestHandlerController.php 82.18% <100%> (+2.31%) 30 <0> (+4) ⬆️
...amework/Middleware/Security/SecurityMiddleware.php 93.84% <25%> (-4.52%) 24 <0> (+2)
apps/dav/lib/Connector/Sabre/CorsPlugin.php 89.79% <73.33%> (-7.83%) 19 <1> (+2)
...es_sharing/lib/Controller/Share20OcsController.php 85.31% <93.54%> (ø) 193 <0> (ø) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a922eaf...5050903. Read the comment docs.

1 similar comment
@codecov
Copy link

codecov bot commented Feb 26, 2019

Codecov Report

Merging #34622 into master will increase coverage by <.01%.
The diff coverage is 89.21%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #34622      +/-   ##
============================================
+ Coverage     65.23%   65.24%   +<.01%     
- Complexity    18438    18446       +8     
============================================
  Files          1203     1203              
  Lines         69819    69850      +31     
  Branches       1280     1280              
============================================
+ Hits          45548    45572      +24     
- Misses        23899    23906       +7     
  Partials        372      372
Flag Coverage Δ Complexity Δ
#javascript 53.04% <ø> (ø) 0 <ø> (ø) ⬇️
#phpunit 66.64% <89.21%> (ø) 18446 <1> (+8) ⬆️
Impacted Files Coverage Δ Complexity Δ
...e/AppFramework/DependencyInjection/DIContainer.php 73.28% <ø> (ø) 79 <0> (ø) ⬇️
apps/files_sharing/lib/AppInfo/Application.php 50.98% <100%> (ø) 17 <0> (ø) ⬇️
...haring/lib/Controller/RequestHandlerController.php 82.18% <100%> (+2.31%) 30 <0> (+4) ⬆️
...amework/Middleware/Security/SecurityMiddleware.php 93.84% <25%> (-4.52%) 24 <0> (+2)
apps/dav/lib/Connector/Sabre/CorsPlugin.php 89.79% <73.33%> (-7.83%) 19 <1> (+2)
...es_sharing/lib/Controller/Share20OcsController.php 85.31% <93.54%> (ø) 193 <0> (ø) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a922eaf...5050903. Read the comment docs.

@codecov
Copy link

codecov bot commented Feb 26, 2019
edited
Loading

Codecov Report

Merging #34622 into master will increase coverage by <.01%.
The diff coverage is 88.46%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #34622      +/-   ##
============================================
+ Coverage     65.25%   65.25%   +<.01%     
- Complexity    18458    18467       +9     
============================================
  Files          1207     1207              
  Lines         69895    69928      +33     
  Branches       1280     1280              
============================================
+ Hits          45608    45633      +25     
- Misses        23915    23923       +8     
  Partials        372      372
Flag Coverage Δ Complexity Δ
#javascript 53.04% <ø> (ø) 0 <ø> (ø) ⬇️
#phpunit 66.66% <88.46%> (ø) 18467 <1> (+9) ⬆️
Impacted Files Coverage Δ Complexity Δ
...e/AppFramework/DependencyInjection/DIContainer.php 73.28% <ø> (ø) 79 <0> (ø) ⬇️
apps/files_sharing/lib/AppInfo/Application.php 50.98% <100%> (ø) 17 <0> (ø) ⬇️
...haring/lib/Controller/RequestHandlerController.php 82.18% <100%> (+2.31%) 30 <0> (+4) ⬆️
...amework/Middleware/Security/SecurityMiddleware.php 93.84% <25%> (-4.52%) 24 <0> (+2)
lib/public/AppFramework/OCSController.php 95.45% <50%> (-2.17%) 14 <0> (+1)
apps/dav/lib/Connector/Sabre/CorsPlugin.php 89.79% <73.33%> (-7.83%) 19 <1> (+2)
...es_sharing/lib/Controller/Share20OcsController.php 85.34% <93.54%> (ø) 193 <0> (ø) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ec002f4...96f66cf. Read the comment docs.

@phil-davis phil-davis mentioned this pull request Feb 26, 2019
Closed
11 tasks
@PVince81 PVince81 requested a review from VicDeo February 26, 2019 09:59
@PVince81
Copy link
Contributor

the code looks fine to me, I'm only worried about the STATUS_GONE addition.

@VicDeo can you evaluate the risk for this change of behavior for existing federation clients that might have expected a 200 OK response with no body instead of an error ?

VicDeo
VicDeo reviewed Feb 27, 2019
View reviewed changes
Copy link
Member

@VicDeo VicDeo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what we have from OCM spec https://rawgit.com/GEANT/OCM-API/v1/docs.html

400 Bad request due to invalid parameters, e.g. when type is invalid or missing.
401 Client cannot be authenticated as a trusted service.
403 Trusted service is not authorized to create notifications.
501 The receiver doesn't support notifications.
503 The receiver is temporary unavailable (e.g. due to planned maintenance).

As long as RequestHandlerController is used for our legacy endpoint it should be fine.

@VicDeo
Copy link
Member

VicDeo commented Feb 27, 2019

@PVince81 according to the implementation this notification will be resent from a background job with TTL = 20.

@phil-davis
Copy link
Contributor Author

@VicDeo the list does not have code 410.
Should we just return a 400 Bad Request?

VicDeo
VicDeo approved these changes Mar 1, 2019
View reviewed changes
Copy link
Member

@VicDeo VicDeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine by me. Just one note.

apps/files_sharing/tests/Controller/Share20OcsControllerTest.php Outdated
use OCP\Lock\ILockingProvider;
use OCP\Lock\LockedException;
use OCP\Share;
use function Sodium\crypto_sign_ed25519_pk_to_curve25519;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@phil-davis strange things are going on here :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

taken care of .... will merge once drone is green and take care of backporting

@DeepDiver1975 DeepDiver1975 mentioned this pull request Mar 4, 2019
Closed
@PVince81
Copy link
Contributor

PVince81 commented Mar 4, 2019 

--- Failed scenarios:

    /drone/src/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:42
    /drone/src/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:43
    /drone/src/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:44
    /drone/src/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:45
    /drone/src/tests/acceptance/features/apiAuth/ocsGETAuth.feature:100
    /drone/src/tests/acceptance/features/apiAuth/ocsGETAuth.feature:101
    /drone/src/tests/acceptance/features/apiAuth/ocsGETAuth.feature:148
    /drone/src/tests/acceptance/features/apiAuth/ocsGETAuth.feature:149
    /drone/src/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:48
    /drone/src/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:49
    /drone/src/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:50
    /drone/src/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:51
    /drone/src/tests/acceptance/features/apiAuth/ocsPUTAuth.feature:35
/drone/src/tests/acceptance/features/apiAuth/ocsPUTAuth.feature:36

😱

@phil-davis
Copy link
Contributor Author

@DeepDiver1975 feel free to keep rebasing... this PR and/or just cherry-pick the useful bits into #34568 or whatever. (I will keep my hands off, so we don't stomp on each other)

@DeepDiver1975
Copy link
Member

ohoh ....

  @issue-34626
  Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password                          # /drone/src/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:34
    Given using OCS API version "<ocs_api_version>"                                                             # FeatureContext::usingOcsApiVersion()
    When the administrator sends HTTP method "DELETE" to OCS API endpoint "<endpoint>" using password "invalid" # FeatureContext::theAdministratorSendsHttpMethodToOcsApiEndpoint()
    Then the HTTP status code should be "200"                                                                   # FeatureContext::theHTTPStatusCodeShouldBe()
    And the body of the response should be empty                                                                # FeatureContext::theResponseBodyShouldBeEmpty()

    Examples:
      | ocs_api_version | endpoint                                      |
      | 1               | /apps/files_sharing/api/v1/shares/123         |
        Failed asserting that a string is empty.
      | 2               | /apps/files_sharing/api/v1/shares/123         |
        Failed asserting that a string is empty.
      | 1               | /apps/files_sharing/api/v1/shares/pending/123 |
        Failed asserting that a string is empty.
      | 2               | /apps/files_sharing/api/v1/shares/pending/123 |
        Failed asserting that a string is empty.

@DeepDiver1975 DeepDiver1975 mentioned this pull request Mar 5, 2019
Open
@phil-davis
Copy link
Contributor Author

@DeepDiver1975 there is a fail with the apiAuth suite which is "new".
I will have a look at what has happened in rebase... and sort that out.

@phil-davis
Copy link
Contributor Author

The code looks fine. Weird drone error and we can't see the log file. I force pushed a rebase of the last commit to make drone start fresh.

@phil-davis
Copy link
Contributor Author

Running apiAuth suite locally:

make test-acceptance-api BEHAT_SUITE=apiAuth

these scenarios fail:

Feature: auth

  Background:                                                   # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:4
    Given user "user0" has been created with default attributes # FeatureContext::userHasBeenCreatedWithDefaultAttributes()
    And a new client token for "user0" has been generated       # FeatureContext::aNewClientTokenHasBeenGenerated()

  @issue-32068
  Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password                          # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsDELETEAuth.feature:9
    Given using OCS API version "<ocs_api_version>"                                                             # FeatureContext::usingOcsApiVersion()
    And group "group1" has been created                                                                         # FeatureContext::groupHasBeenCreated()
    When the administrator sends HTTP method "DELETE" to OCS API endpoint "<endpoint>" using password "invalid" # FeatureContext::theAdministratorSendsHttpMethodToOcsApiEndpoint()
    Then the OCS status code should be "<ocs-code>"                                                             # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                                                            # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | endpoint                                             | ocs-code | http-code |
      | 1               | /apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/remote_shares/123         | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares/123         | 997      | 401       |
      | 1               | /cloud/apps/testing                                  | 997      | 401       |
      | 2               | /cloud/apps/testing                                  | 997      | 401       |
      | 1               | /cloud/groups/group1                                 | 997      | 401       |
      | 2               | /cloud/groups/group1                                 | 997      | 401       |
      | 1               | /cloud/users/user0                                   | 997      | 401       |
      | 2               | /cloud/users/user0                                   | 997      | 401       |
      | 1               | /cloud/users/user0/groups                            | 997      | 401       |
      | 2               | /cloud/users/user0/groups                            | 997      | 401       |
      | 1               | /cloud/users/user0/subadmins                         | 997      | 401       |
      | 2               | /cloud/users/user0/subadmins                         | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/shares/123                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares/123                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 1               | /apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

and

Feature: auth

  Background:                                                   # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsGETAuth.feature:3
    Given user "user0" has been created with default attributes # FeatureContext::userHasBeenCreatedWithDefaultAttributes()
    And a new client token for "user0" has been generated       # FeatureContext::aNewClientTokenHasBeenGenerated()

  @issue-32068
  Scenario Outline: using OCS anonymously                              # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsGETAuth.feature:8
    When a user requests "<endpoint>" with "GET" and no authentication # FeatureContext::userRequestsURLWith()
    Then the OCS status code should be "<ocs-code>"                    # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                   # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | endpoint                                                    | ocs-code | http-code |
      | /ocs/v1.php/apps/files_external/api/v1/mounts               | 997      | 401       |
      | /ocs/v2.php/apps/files_external/api/v1/mounts               | 997      | 401       |
      | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | /ocs/v1.php/apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | /ocs/v2.php/apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | /ocs/v1.php/cloud/apps                                      | 997      | 401       |
      | /ocs/v2.php/cloud/apps                                      | 997      | 401       |
      | /ocs/v1.php/cloud/groups                                    | 997      | 401       |
      | /ocs/v2.php/cloud/groups                                    | 997      | 401       |
      | /ocs/v1.php/cloud/users                                     | 997      | 401       |
      | /ocs/v2.php/cloud/users                                     | 997      | 401       |
      | /ocs/v1.php/config                                          | 100      | 200       |
      | /ocs/v2.php/config                                          | 200      | 200       |
      | /ocs/v1.php/privatedata/getattribute                        | 997      | 401       |
      | /ocs/v2.php/privatedata/getattribute                        | 997      | 401       |
      | /ocs/v1.php/apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | /ocs/v2.php/apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

and

  Scenario Outline: using OCS as normal user with wrong password                                        # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsGETAuth.feature:60
    Given using OCS API version "<ocs_api_version>"                                                     # FeatureContext::usingOcsApiVersion()
    When user "user0" sends HTTP method "GET" to OCS API endpoint "<endpoint>" using password "invalid" # FeatureContext::userSendsToOcsApiEndpoint()
    Then the OCS status code should be "<ocs-code>"                                                     # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                                                    # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | endpoint                                         | ocs-code | http-code |
      | 1               | /apps/files_external/api/v1/mounts               | 997      | 401       |
      | 2               | /apps/files_external/api/v1/mounts               | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | 1               | /cloud/apps                                      | 997      | 401       |
      | 2               | /cloud/apps                                      | 997      | 401       |
      | 1               | /cloud/groups                                    | 997      | 401       |
      | 2               | /cloud/groups                                    | 997      | 401       |
      | 1               | /cloud/users                                     | 997      | 401       |
      | 2               | /cloud/users                                     | 997      | 401       |
      | 1               | /config                                          | 100      | 200       |
      | 2               | /config                                          | 200      | 200       |
      | 1               | /privatedata/getattribute                        | 997      | 401       |
      | 2               | /privatedata/getattribute                        | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

and

  Scenario Outline: using OCS as admin user with wrong password                                              # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsGETAuth.feature:99
    Given using OCS API version "<ocs_api_version>"                                                          # FeatureContext::usingOcsApiVersion()
    When the administrator sends HTTP method "GET" to OCS API endpoint "<endpoint>" using password "invalid" # FeatureContext::theAdministratorSendsHttpMethodToOcsApiEndpoint()
    Then the OCS status code should be "<ocs-code>"                                                          # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                                                         # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | endpoint                                         | ocs-code | http-code |
      | 1               | /apps/files_external/api/v1/mounts               | 997      | 401       |
      | 2               | /apps/files_external/api/v1/mounts               | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares         | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares/pending | 997      | 401       |
      | 1               | /cloud/apps                                      | 997      | 401       |
      | 2               | /cloud/apps                                      | 997      | 401       |
      | 1               | /cloud/groups                                    | 997      | 401       |
      | 2               | /cloud/groups                                    | 997      | 401       |
      | 1               | /cloud/users                                     | 997      | 401       |
      | 2               | /cloud/users                                     | 997      | 401       |
      | 1               | /privatedata/getattribute                        | 997      | 401       |
      | 2               | /privatedata/getattribute                        | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares                | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

and

Feature: auth

  Background:                                                   # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:4
    Given user "user0" has been created with default attributes # FeatureContext::userHasBeenCreatedWithDefaultAttributes()
    And a new client token for "user0" has been generated       # FeatureContext::aNewClientTokenHasBeenGenerated()

  @issue-32068
  Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password                         # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsPOSTAuth.feature:9
    Given using OCS API version "<ocs_api_version>"                                                                # FeatureContext::usingOcsApiVersion()
    And user "user1" has been created with default attributes                                                      # FeatureContext::userHasBeenCreatedWithDefaultAttributes()
    When user "user0" sends HTTP method "POST" to OCS API endpoint "<endpoint>" with body using password "invalid" # FeatureContext::userSendsHTTPMethodToOcsApiEndpointWithBodyAndPassword()
      | data | doesnotmatter |
    Then the OCS status code should be "<ocs-code>"                                                                # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                                                               # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | endpoint                                             | ocs-code | http-code |
      | 1               | /apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
      | 2               | /apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
      | 1               | /cloud/apps/testing                                  | 997      | 401       |
      | 2               | /cloud/apps/testing                                  | 997      | 401       |
      | 1               | /cloud/groups                                        | 997      | 401       |
      | 2               | /cloud/groups                                        | 997      | 401       |
      | 1               | /cloud/users                                         | 997      | 401       |
      | 2               | /cloud/users                                         | 997      | 401       |
      | 1               | /cloud/users/user0/groups                            | 997      | 401       |
      | 2               | /cloud/users/user0/groups                            | 997      | 401       |
      | 1               | /cloud/users/user0/subadmins                         | 997      | 401       |
      | 2               | /cloud/users/user0/subadmins                         | 997      | 401       |
      | 1               | /person/check                                        | 101      | 200       |
      | 2               | /person/check                                        | 400      | 400       |
      | 1               | /privatedata/deleteattribute/testing/test            | 997      | 401       |
      | 2               | /privatedata/deleteattribute/testing/test            | 997      | 401       |
      | 1               | /privatedata/setattribute/testing/test               | 997      | 401       |
      | 2               | /privatedata/setattribute/testing/test               | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/shares                    | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares                    | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 1               | /apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

@api @TestAlsoOnExternalUserBackend
Feature: auth

  Background:                                                   # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsPUTAuth.feature:4
    Given user "user0" has been created with default attributes # FeatureContext::userHasBeenCreatedWithDefaultAttributes()
    And a new client token for "user0" has been generated       # FeatureContext::aNewClientTokenHasBeenGenerated()

  @issue-32068
  Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password                                    # /home/phil/git/owncloud/core/tests/acceptance/features/apiAuth/ocsPUTAuth.feature:9
    Given using OCS API version "<ocs_api_version>"                                                                    # FeatureContext::usingOcsApiVersion()
    When the administrator sends HTTP method "PUT" to OCS API endpoint "<endpoint>" with body using password "invalid" # FeatureContext::theAdministratorSendsHttpMethodToOcsApiWithBodyAndPassword()
      | data | doesnotmatter |
    Then the OCS status code should be "<ocs-code>"                                                                    # FeatureContext::theOCSStatusCodeShouldBe()
    And the HTTP status code should be "<http-code>"                                                                   # FeatureContext::theHTTPStatusCodeShouldBe()

    Examples:
      | ocs_api_version | endpoint                              | ocs-code | http-code |
      | 1               | /cloud/users/user0                    | 997      | 401       |
      | 2               | /cloud/users/user0                    | 997      | 401       |
      | 1               | /cloud/users/user0/disable            | 997      | 401       |
      | 2               | /cloud/users/user0/disable            | 997      | 401       |
      | 1               | /cloud/users/user0/enable             | 997      | 401       |
      | 2               | /cloud/users/user0/enable             | 997      | 401       |
      | 1               | /apps/files_sharing/api/v1/shares/123 | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.
      | 2               | /apps/files_sharing/api/v1/shares/123 | 997      | 401       |
        HTTP status code is not the expected value
        Failed asserting that 200 matches expected '401'.

It is not happy.

@phil-davis
Copy link
Contributor Author

Rebased - we can see drone logs today, so that will give us test output to look at.

@DeepDiver1975
Copy link
Member

Acceptance tests revealed another issue ... fixed

@phil-davis phil-davis merged commit c77bc7a into master Mar 6, 2019
@delete-merged-branch delete-merged-branch bot deleted the handle-accept-decline-share branch March 6, 2019 08:00
@DeepDiver1975
Copy link
Member

Thx

@phil-davis
Copy link
Contributor Author

I am looking at the backport...

@individual-it individual-it mentioned this pull request Mar 6, 2019
Closed
@individual-it
Copy link
Member

@DeepDiver1975 were #34664 and #34679 also addressed ?

@phil-davis phil-davis mentioned this pull request Mar 6, 2019
Closed
@DeepDiver1975 DeepDiver1975 mentioned this pull request Mar 18, 2019
Merged
PVince81 pushed a commit that referenced this pull request Mar 18, 2019
Merge pull request #34786 from owncloud/stable10-777fa69a9f05c28b5e0e…
c883292 
…4a548ee395127803e8fe

[stable10] Backport of #34622 and #33180
@phil-davis
Copy link
Contributor Author

Backport stable10 #34786

@lock lock bot locked as resolved and limited conversation to collaborators Mar 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@DeepDiver1975 DeepDiver1975 DeepDiver1975 approved these changes

@VicDeo VicDeo VicDeo approved these changes

@PVince81 PVince81 Awaiting requested review from PVince81

Assignees

@phil-davis phil-davis

Labels
4 - To release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@phil-davis @PVince81 @VicDeo @DeepDiver1975 @individual-it