fix: aliases and capitalization of emails

Signed-off-by: SebastianKrupinski <krupinskis05@gmail.com>

[skip ci]

Author: SebastianKrupinski

apps/dav/lib/CalDAV/CalendarImpl.php

@@ -20,9 +20,9 @@
 use Sabre\CalDAV\Xml\Property\ScheduleCalendarTransp;
 use Sabre\DAV\Exception\Conflict;
 use Sabre\VObject\Component\VCalendar;
-use Sabre\VObject\Component\VEvent;
 use Sabre\VObject\Component\VTimeZone;
 use Sabre\VObject\ITip\Message;
+use Sabre\VObject\ParseException;
 use Sabre\VObject\Property;
 use Sabre\VObject\Reader;
 use function Sabre\Uri\split as uriSplit;
@@ -36,6 +36,9 @@ public function __construct(
 	) {
 	}
 
+	private const DAV_PROPERTY_USER_ADDRESS = '{http://sabredav.org/ns}email-address';
+	private const DAV_PROPERTY_USER_ADDRESSES = '{urn:ietf:params:xml:ns:caldav}calendar-user-address-set';
+
 	/**
 	 * @return string defining the technical unique key
 	 * @since 13.0.0
@@ -210,58 +213,93 @@ public function createFromString(string $name, string $calendarData): void {
 	 * @throws CalendarException
 	 */
 	public function handleIMipMessage(string $name, string $calendarData): void {
-		$server = $this->getInvitationResponseServer();
-
-		/** @var CustomPrincipalPlugin $plugin */
-		$plugin = $server->getServer()->getPlugin('auth');
-		// we're working around the previous implementation
-		// that only allowed the public system principal to be used
-		// so set the custom principal here
-		$plugin->setCurrentPrincipal($this->calendar->getPrincipalURI());
 
-		if (empty($this->calendarInfo['uri'])) {
-			throw new CalendarException('Could not write to calendar as URI parameter is missing');
+		try {
+			/** @var VCalendar $vObject|null */
+			$vObject = Reader::read($calendarData);
+		} catch (ParseException $e) {
+			throw new CalendarException('iMip message could not be processed because an error occurred while parsing the iMip message', 0, $e);
 		}
-		// Force calendar change URI
-		/** @var Schedule\Plugin $schedulingPlugin */
-		$schedulingPlugin = $server->getServer()->getPlugin('caldav-schedule');
-		// Let sabre handle the rest
-		$iTipMessage = new Message();
-		/** @var VCalendar $vObject */
-		$vObject = Reader::read($calendarData);
-		/** @var VEvent $vEvent */
-		$vEvent = $vObject->{'VEVENT'};
-
-		if ($vObject->{'METHOD'} === null) {
-			throw new CalendarException('No Method provided for scheduling data. Could not process message');
+		// validate the iMip message
+		if (!isset($vObject->METHOD)) {
+			throw new CalendarException('iMip message contains no valid method');
 		}
-
-		if (!isset($vEvent->{'ORGANIZER'}) || !isset($vEvent->{'ATTENDEE'})) {
-			throw new CalendarException('Could not process scheduling data, neccessary data missing from ICAL');
+		if (!isset($vObject->VEVENT)) {
+			throw new CalendarException('iMip message contains no event');
 		}
-		$organizer = $vEvent->{'ORGANIZER'}->getValue();
-		$attendee = $vEvent->{'ATTENDEE'}->getValue();
-
-		$iTipMessage->method = $vObject->{'METHOD'}->getValue();
-		if ($iTipMessage->method === 'REQUEST') {
-			$iTipMessage->sender = $organizer;
-			$iTipMessage->recipient = $attendee;
-		} elseif ($iTipMessage->method === 'REPLY') {
-			if ($server->isExternalAttendee($vEvent->{'ATTENDEE'}->getValue())) {
-				$iTipMessage->recipient = $organizer;
-			} else {
-				$iTipMessage->recipient = $attendee;
+		if (!isset($vObject->VEVENT->UID)) {
+			throw new CalendarException('iMip message event dose not contain a UID');
+		}
+		if (!isset($vObject->VEVENT->ORGANIZER)) {
+			throw new CalendarException('iMip message event dose not contain an organizer');
+		}
+		if (!isset($vObject->VEVENT->ATTENDEE)) {
+			throw new CalendarException('iMip message event dose not contain an attendee');
+		}
+		if (empty($this->calendarInfo['uri'])) {
+			throw new CalendarException('Could not write to calendar as URI parameter is missing');
+		}
+		// construct dav server
+		$server = $this->getInvitationResponseServer();
+		/** @var CustomPrincipalPlugin $authPlugin */
+		$authPlugin = $server->getServer()->getPlugin('auth');
+		// we're working around the previous implementation
+		// that only allowed the public system principal to be used
+		// so set the custom principal here
+		$authPlugin->setCurrentPrincipal($this->calendar->getPrincipalURI());
+		// retrieve all users addresses
+		$userProperties = $server->getServer()->getProperties($this->calendar->getPrincipalURI(), [ self::DAV_PROPERTY_USER_ADDRESS, self::DAV_PROPERTY_USER_ADDRESSES ]);
+		$userAddress = 'mailto:' . ($userProperties[self::DAV_PROPERTY_USER_ADDRESS] ?? null);
+		$userAddresses = $userProperties[self::DAV_PROPERTY_USER_ADDRESSES]->getHrefs() ?? [];
+		$userAddresses = array_map('strtolower', array_map('urldecode', $userAddresses));
+		// validate the method, recipient and sender
+		$imipMethod = strtoupper($vObject->METHOD->getValue());
+		if (in_array($imipMethod, ['REPLY', 'REFRESH'], true)) {
+			// extract sender (REPLY and REFRESH method should only have one attendee)
+			$sender = strtolower($vObject->VEVENT->ATTENDEE->getValue());
+			// extract and verify the recipient
+			$recipient = strtolower($vObject->VEVENT->ORGANIZER->getValue());
+			if (!in_array($recipient, $userAddresses, true)) {
+				throw new CalendarException('iMip message dose not contain an organizer that matches the user');
+			}
+			// if the recipient address is not the same as the user address this means an alias was used
+			// the iTip broker uses the users primary email address during processing
+			if ($userAddress !== $recipient) {
+				$recipient = $userAddress;
+			}
+		} elseif (in_array($imipMethod, ['PUBLISH', 'REQUEST', 'ADD', 'CANCEL'], true)) {
+			// extract sender
+			$sender = strtolower($vObject->VEVENT->ORGANIZER->getValue());
+			// extract and verify the recipient
+			foreach ($vObject->VEVENT->ATTENDEE as $attendee) {
+				$recipient = strtolower($attendee->getValue());
+				if (in_array($recipient, $userAddresses, true)) {
+					break;
+				}
+				$recipient = null;
+			}
+			if ($recipient === null) {
+				throw new CalendarException('iMip message dose not contain an attendee that matches the user');
 			}
-			$iTipMessage->sender = $attendee;
-		} elseif ($iTipMessage->method === 'CANCEL') {
-			$iTipMessage->recipient = $attendee;
-			$iTipMessage->sender = $organizer;
+			// if the recipient address is not the same as the user address this means an alias was used
+			// the iTip broker uses the users primary email address during processing
+			if ($userAddress !== $recipient) {
+				$recipient = $userAddress;
+			}
+		} else {
+			throw new CalendarException('iMip message contains a method that is not supported: ' . $imipMethod);
 		}
-		$iTipMessage->uid = isset($vEvent->{'UID'}) ? $vEvent->{'UID'}->getValue() : '';
-		$iTipMessage->component = 'VEVENT';
-		$iTipMessage->sequence = isset($vEvent->{'SEQUENCE'}) ? (int)$vEvent->{'SEQUENCE'}->getValue() : 0;
-		$iTipMessage->message = $vObject;
-		$server->server->emit('schedule', [$iTipMessage]);
+		// generate the iTip message
+		$iTip = new Message();
+		$iTip->method = $imipMethod;
+		$iTip->sender = $sender;
+		$iTip->recipient = $recipient;
+		$iTip->component = 'VEVENT';
+		$iTip->uid = $vObject->VEVENT->UID->getValue();
+		$iTip->sequence = isset($vObject->VEVENT->SEQUENCE) ? (int)$vObject->VEVENT->SEQUENCE->getValue() : 1;
+		$iTip->message = $vObject;
+
+		$server->server->emit('schedule', [$iTip]);
 	}
 
 	public function getInvitationResponseServer(): InvitationResponseServer {

apps/dav/lib/CalDAV/Schedule/Plugin.php

@@ -132,7 +132,7 @@ public function propFind(PropFind $propFind, INode $node) {
 	 * @param string $principal
 	 * @return array
 	 */
-	protected function getAddressesForPrincipal($principal) {
+	public function getAddressesForPrincipal($principal) {
 		$result = parent::getAddressesForPrincipal($principal);
 
 		if ($result === null) {

apps/dav/tests/unit/CalDAV/CalendarImplTest.php

@@ -10,14 +10,12 @@
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\CalDAV\CalendarImpl;
 use OCA\DAV\CalDAV\InvitationResponse\InvitationResponseServer;
-use OCA\DAV\CalDAV\Schedule\Plugin;
 use OCA\DAV\Connector\Sabre\Server;
 use OCP\Calendar\Exceptions\CalendarException;
 use PHPUnit\Framework\MockObject\MockObject;
 use Sabre\VObject\Component\VCalendar;
 use Sabre\VObject\Component\VEvent;
 use Sabre\VObject\ITip\Message;
-use Sabre\VObject\Reader;
 
 class CalendarImplTest extends \Test\TestCase {
 	/** @var CalendarImpl */
@@ -35,6 +33,7 @@ class CalendarImplTest extends \Test\TestCase {
 	protected function setUp(): void {
 		parent::setUp();
 
+		$this->backend = $this->createMock(CalDavBackend::class);
 		$this->calendar = $this->createMock(Calendar::class);
 		$this->calendarInfo = [
 			'id' => 'fancy_id_123',
@@ -43,7 +42,7 @@ protected function setUp(): void {
 			'uri' => '/this/is/a/uri',
 			'principaluri' => 'principal/users/foobar'
 		];
-		$this->backend = $this->createMock(CalDavBackend::class);
+		$this->calendarImpl = new CalendarImpl($this->calendar, $this->calendarInfo, $this->backend);
 
 		$this->calendarImpl = new CalendarImpl($this->calendar,
 			$this->calendarInfo, $this->backend);
@@ -123,56 +122,128 @@ public function testGetPermissionAll(): void {
 		$this->assertEquals(31, $this->calendarImpl->getPermissions());
 	}
 
-	public function testHandleImipMessage(): void {
-		$message = <<<EOF
-BEGIN:VCALENDAR
-PRODID:-//Nextcloud/Nextcloud CalDAV Server//EN
-METHOD:REPLY
-VERSION:2.0
-BEGIN:VEVENT
-ATTENDEE;PARTSTAT=ACCEPTED:mailto:lewis@stardew-tent-living.com
-ORGANIZER:mailto:pierre@generalstore.com
-UID:aUniqueUid
-SEQUENCE:2
-REQUEST-STATUS:2.0;Success
-END:VEVENT
-END:VCALENDAR
-EOF;
+	public function testHandleImipNoMethod(): void {
+		// Arrange
+		$vObject = $this->vCalendar1a;
+
+		$this->expectException(CalendarException::class);
+		$this->expectExceptionMessage('iMip message contains no valid method');
+
+		// Act
+		$this->calendarImpl->handleIMipMessage('fakeUser', $vObject->serialize());
+	}
+
+	public function testHandleImipNoEvent(): void {
+		// Arrange
+		$vObject = $this->vCalendar1a;
+		$vObject->add('METHOD', 'REQUEST');
+		$vObject->remove('VEVENT');
+
+		$this->expectException(CalendarException::class);
+		$this->expectExceptionMessage('iMip message contains no event');
+
+		// Act
+		$this->calendarImpl->handleIMipMessage('fakeUser', $vObject->serialize());
+	}
+
+	public function testHandleImipNoUid(): void {
+		// Arrange
+		$vObject = $this->vCalendar1a;
+		$vObject->add('METHOD', 'REQUEST');
+		$vObject->VEVENT->remove('UID');
+
+		$this->expectException(CalendarException::class);
+		$this->expectExceptionMessage('iMip message event dose not contain a UID');
+
+		// Act
+		$this->calendarImpl->handleIMipMessage('fakeUser', $vObject->serialize());
+	}
+
+	public function testHandleImipNoOrganizer(): void {
+		// Arrange
+		$vObject = $this->vCalendar1a;
+		$vObject->add('METHOD', 'REQUEST');
+		$vObject->VEVENT->remove('ORGANIZER');
+
+		$this->expectException(CalendarException::class);
+		$this->expectExceptionMessage('iMip message event dose not contain an organizer');
+
+		// Act
+		$this->calendarImpl->handleIMipMessage('fakeUser', $vObject->serialize());
+	}
+
+	public function testHandleImipNoAttendee(): void {
+		// Arrange
+		$vObject = $this->vCalendar1a;
+		$vObject->add('METHOD', 'REQUEST');
+		$vObject->VEVENT->remove('ATTENDEE');
+
+		$this->expectException(CalendarException::class);
+		$this->expectExceptionMessage('iMip message event dose not contain an attendee');
+
+		// Act
+		$this->calendarImpl->handleIMipMessage('fakeUser', $vObject->serialize());
+	}
+
+	public function testHandleImipRequest(): void {
+		$userAddressSet = new class([ 'mailto:attendee1@testing.com', '/remote.php/dav/principals/users/attendee1/', ]) {
+			public function __construct(
+				private array $hrefs,
+			) {
+			}
+			public function getHrefs(): array {
+				return $this->hrefs;
+			}
+		};
+
+		$vObject = $this->vCalendar1a;
+		$vObject->add('METHOD', 'REQUEST');
+
+		$iTip = new Message();
+		$iTip->method = 'REQUEST';
+		$iTip->sender = $vObject->VEVENT->ORGANIZER->getValue();
+		$iTip->recipient = $vObject->VEVENT->ATTENDEE->getValue();
+		$iTip->component = 'VEVENT';
+		$iTip->uid = $vObject->VEVENT->UID->getValue();
+		$iTip->sequence = (int)$vObject->VEVENT->SEQUENCE->getValue() ?? 0;
+		$iTip->message = $vObject;
 
 		/** @var CustomPrincipalPlugin|MockObject $authPlugin */
 		$authPlugin = $this->createMock(CustomPrincipalPlugin::class);
 		$authPlugin->expects(self::once())
 			->method('setCurrentPrincipal')
 			->with($this->calendar->getPrincipalURI());
-
 		/** @var \Sabre\DAVACL\Plugin|MockObject $aclPlugin */
 		$aclPlugin = $this->createMock(\Sabre\DAVACL\Plugin::class);
 
-		/** @var Plugin|MockObject $schedulingPlugin */
-		$schedulingPlugin = $this->createMock(Plugin::class);
-		$iTipMessage = $this->getITipMessage($message);
-		$iTipMessage->recipient = 'mailto:lewis@stardew-tent-living.com';
-
 		$server = $this->createMock(Server::class);
 		$server->expects($this->any())
 			->method('getPlugin')
 			->willReturnMap([
 				['auth', $authPlugin],
 				['acl', $aclPlugin],
-				['caldav-schedule', $schedulingPlugin]
+			]);
+
+		$server->expects(self::once())
+			->method('getProperties')
+			->with(
+				$this->calendar->getPrincipalURI(),
+				[
+					'{http://sabredav.org/ns}email-address',
+					'{urn:ietf:params:xml:ns:caldav}calendar-user-address-set'
+				]
+			)
+			->willReturn([
+				'{http://sabredav.org/ns}email-address' => 'attendee1@testing.com',
+				'{urn:ietf:params:xml:ns:caldav}calendar-user-address-set' => $userAddressSet,
 			]);
 		$server->expects(self::once())
 			->method('emit');
-
-		$invitationResponseServer = $this->createPartialMock(InvitationResponseServer::class, ['getServer', 'isExternalAttendee']);
+		$invitationResponseServer = $this->createMock(InvitationResponseServer::class, ['getServer']);
 		$invitationResponseServer->server = $server;
 		$invitationResponseServer->expects($this->any())
 			->method('getServer')
 			->willReturn($server);
-		$invitationResponseServer->expects(self::once())
-			->method('isExternalAttendee')
-			->willReturn(false);
-
 		$calendarImpl = $this->getMockBuilder(CalendarImpl::class)
 			->setConstructorArgs([$this->calendar, $this->calendarInfo, $this->backend])
 			->onlyMethods(['getInvitationResponseServer'])