Merge pull request #636 from catalyst/add-token-expiry-check-42

Add token expiry check 42

classes/check/token_expiry.php

@@ -0,0 +1,71 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+namespace tool_objectfs\check;
+
+use core\check\check;
+use core\check\result;
+
+/**
+ * Token expiry check.
+ *
+ * @package    tool_objectfs
+ * @author     Matthew Hilton <matthewhilton@catalyst-au.net>
+ * @copyright  Catalyst IT
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class token_expiry extends check {
+    /**
+     * Checks the token expiry time against thresholds
+     * @return result
+     */
+    public function get_result(): result {
+        $config = \tool_objectfs\local\manager::get_objectfs_config();
+        $client = \tool_objectfs\local\manager::get_client($config);
+
+        // No client set - n/a.
+        if (empty($client)) {
+            return new result(result::NA, get_string('check:tokenexpiry:na', 'tool_objectfs'));
+        }
+
+        $expirytime = $client->get_token_expiry_time();
+        $secondsleft = $expirytime - time();
+
+        $strparams = [
+            'dayssince' => abs(round($secondsleft / DAYSECS)),
+            'time' => userdate($expirytime),
+        ];
+
+        // Not implemented or token not set - n/a.
+        if ($expirytime == -1) {
+            return new result(result::NA, get_string('check:tokenexpiry:na', 'tool_objectfs'));
+        }
+
+        // Is in past - token has expired.
+        if ($secondsleft < 0) {
+            return new result(result::CRITICAL, get_string('check:tokenexpiry:expired', 'tool_objectfs', $strparams));
+        }
+
+        // Is in warning period - warn.
+        $warnthreshold = (int) $config->tokenexpirywarnperiod;
+        if ($secondsleft < $warnthreshold) {
+            return new result(result::WARNING, get_string('check:tokenexpiry:expiresin', 'tool_objectfs', $strparams));
+        }
+
+        // Else ok.
+        return new result(result::OK, get_string('check:tokenexpiry:expiresin', 'tool_objectfs', $strparams));
+    }
+}

classes/local/manager.php

@@ -329,6 +329,10 @@ public static function get_available_fs_list() {
      * @return string
      */
     public static function get_client_classname_from_fs($filesystem) {
+        // Unit tests need to return the test client.
+        if ($filesystem == '\tool_objectfs\tests\test_file_system') {
+            return '\tool_objectfs\tests\test_client';
+        }
         $clientclass = str_replace('_file_system', '', $filesystem);
         return str_replace('tool_objectfs\\', 'tool_objectfs\\local\\store\\', $clientclass.'\\client');
     }

classes/local/object_manipulator/candidates/manipulator_candidates.php

@@ -14,18 +14,17 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
+namespace tool_objectfs\local\object_manipulator\candidates;
+
+use dml_exception;
+
 /**
  * Interface manipulator_candidates
  * @package tool_objectfs
  * @author Gleimer Mora <gleimermora@catalyst-au.net>
  * @copyright Catalyst IT
  * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
-
-namespace tool_objectfs\local\object_manipulator\candidates;
-
-use dml_exception;
-
 interface manipulator_candidates {
 
     /**

classes/local/object_manipulator/object_manipulator.php

@@ -14,6 +14,10 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
+namespace tool_objectfs\local\object_manipulator;
+
+use stdClass;
+
 /**
  * Object manipulator interface class.
  *
@@ -22,11 +26,6 @@
  * @copyright Catalyst IT
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
-
-namespace tool_objectfs\local\object_manipulator;
-
-use stdClass;
-
 interface object_manipulator {
 
 

classes/local/store/azure/client.php

@@ -25,8 +25,10 @@
 
 namespace tool_objectfs\local\store\azure;
 
+use admin_setting_description;
 use SimpleXMLElement;
 use stdClass;
+use tool_objectfs\check\token_expiry;
 use tool_objectfs\local\store\azure\stream_wrapper;
 use tool_objectfs\local\store\object_client_base;
 
@@ -360,9 +362,42 @@ public function define_client_section($settings, $config) {
             new \lang_string('settings:azure:sastoken', 'tool_objectfs'),
             new \lang_string('settings:azure:sastoken_help', 'tool_objectfs'), ''));
 
+        // Admin_setting_check only exists in 4.5+, in lower versions fallback to a basic description.
+        if (class_exists('admin_setting_check')) {
+            $settings->add(new admin_setting_check('tool_objectfs/check_tokenexpiry', new token_expiry(), true));
+        } else {
+            $summary = (new token_expiry())->get_result()->get_summary();
+            $settings->add(new admin_setting_description('tool_objectfs/tokenexpirycheckresult',
+                get_string('checktoken_expiry', 'tool_objectfs'), $summary));
+        }
+
         return $settings;
     }
 
+    /**
+     * Returns token expiry time
+     * @return int
+     */
+    public function get_token_expiry_time(): int {
+        if (empty($this->config->azure_sastoken)) {
+            return -1;
+        }
+
+        // Parse the sas token (it just uses url parameter encoding).
+        $parts = [];
+        parse_str($this->config->azure_sastoken, $parts);
+
+        // Get the 'se' part (signed expiry).
+        if (!isset($parts['se'])) {
+            // Assume expired (malformed).
+            return 0;
+        }
+
+        // Parse timestamp string into unix timestamp int.
+        $expirystr = $parts['se'];
+        return strtotime($expirystr);
+    }
+
     /**
      * Extract an error code from the XML response.
      *

classes/local/store/object_client.php

@@ -14,6 +14,8 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
+namespace tool_objectfs\local\store;
+
 /**
  * Objectfs client interface.
  *
@@ -22,11 +24,7 @@
  * @copyright Catalyst IT
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
-
-namespace tool_objectfs\local\store;
-
 interface object_client {
-
     /**
      * construct
      * @param \stdClass $config
@@ -137,6 +135,12 @@ public function proxy_range_request(\stored_file $file, $ranges);
      */
     public function test_range_request($filesystem);
 
+    /**
+     * Get the expiry time of the token used for this fs.
+     * returns -1 if not implemented, or no token is set.
+     * @return int unix timestamp the token set expires at
+     */
+    public function get_token_expiry_time(): int;
 }
 
 

classes/local/store/object_client_base.php

@@ -187,4 +187,13 @@ public function test_connection() {
     public function test_permissions($testdelete) {
         return (object)['success' => false, 'details' => ''];
     }
+
+    /**
+     * Return expiry time of token, default is -1 meaning not implemented/enabled.
+     * @return int
+     */
+    public function get_token_expiry_time(): int {
+        // Returning -1 = not implemented.
+        return -1;
+    }
 }

classes/privacy/provider.php

@@ -13,6 +13,7 @@
 //
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
 /**
  * Privacy provider.
  *

classes/task/objectfs_task.php

@@ -14,6 +14,8 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
+namespace tool_objectfs\task;
+
 /**
  * Base abstract class for objectfs tasks.
  *
@@ -22,9 +24,6 @@
  * @copyright Catalyst IT
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
-
-namespace tool_objectfs\task;
-
 interface objectfs_task {
 
     /**

classes/tests/test_azure_integration_client.php

@@ -19,8 +19,11 @@
 use tool_objectfs\local\store\azure\client;
 
 /**
- * [Description test_azure_integration_client]
- * @package tool_objectfs
+ * Client used for integration testing azure client
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class test_azure_integration_client extends client {
 
@@ -35,7 +38,10 @@ class test_azure_integration_client extends client {
      * @return void
      */
     public function __construct($config) {
-        parent::__construct($config);
+        // Set config directly. Calling __construct will do nothing
+        // since unit tests do not have the azure sdk installed.
+        $this->config = $config;
+
         $time = microtime();
         $this->runidentifier = md5($time);
     }

classes/tests/test_client.php

@@ -19,8 +19,11 @@
 use tool_objectfs\local\store\object_client_base;
 
 /**
- * [Description test_client]
- * @package tool_objectfs
+ * Test client for PHP unit tests
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class test_client extends object_client_base {
     /**
@@ -157,5 +160,14 @@ public function test_permissions($testdelete) {
     public function get_maximum_upload_size() {
         return $this->maxupload;
     }
+
+    /**
+     * Returns test expiry time.
+     * @return int
+     */
+    public function get_token_expiry_time(): int {
+        global $CFG;
+        return $CFG->objectfs_phpunit_token_expiry_time;
+    }
 }
 

classes/tests/test_digitalocean_integration_client.php

@@ -19,8 +19,11 @@
 use tool_objectfs\local\store\digitalocean\client;
 
 /**
- * [Description test_digitalocean_integration_client]
- * @package tool_objectfs
+ * Client used for integration testing digitalocean client
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class test_digitalocean_integration_client extends client {
 

classes/tests/test_s3_integration_client.php

@@ -19,8 +19,11 @@
 use tool_objectfs\local\store\s3\client;
 
 /**
- * [Description test_s3_integration_client]
- * @package tool_objectfs
+ * Client used for integration testing aws client
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class test_s3_integration_client extends client {
 

classes/tests/test_swift_integration_client.php

@@ -19,8 +19,11 @@
 use tool_objectfs\local\store\swift\client;
 
 /**
- * [Description test_swift_integration_client]
- * @package tool_objectfs
+ * Client used for integration testing swift client
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class test_swift_integration_client extends client {
 

classes/tests/testcase.php

@@ -26,8 +26,11 @@
 use tool_objectfs\local\store\signed_url;
 
 /**
- * [Description testcase]
- * @package tool_objectfs
+ * Testcase with useful / shared methods for common objectfs tests.
+ *
+ * @package   tool_objectfs
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 abstract class testcase extends \advanced_testcase {
 

lang/en/tool_objectfs.php

@@ -269,3 +269,9 @@
 
 $string['check:proxyrangerequestsdisabled'] = 'The proxy range request setting is disabled.';
 $string['checkproxy_range_request'] = 'Pre-signed URL range request proxy';
+
+$string['checktoken_expiry'] = 'Token expiry';
+$string['check:tokenexpiry:expiresin'] = 'Token expires in {$a->dayssince} days on {$a->time}';
+$string['check:tokenexpiry:expired'] = 'Token expired for {$a->dayssince} days. Expired on {$a->time}';
+$string['check:tokenexpiry:na'] = 'Token expired not implemented for filesystem, or no token is set';
+$string['settings:tokenexpirywarnperiod'] = 'Token expiry warn period';

lib.php

@@ -101,11 +101,13 @@ function tool_objectfs_pluginfile($course, $cm, context $context, $filearea, arr
  * @return array
  */
 function tool_objectfs_status_checks() {
+    $checks = [
+        new tool_objectfs\check\token_expiry(),
+    ];
+
     if (get_config('tool_objectfs', 'proxyrangerequests')) {
-        return [
-            new tool_objectfs\check\proxy_range_request(),
-        ];
+        $checks[] = new tool_objectfs\check\proxy_range_request();
     }
 
-    return [];
+    return $checks;
 }