Merge branch 'feature/PB-39559_v4_12_13-Prepare-API-code' into 'release'

PB-39559 4.12.0-test.1

See merge request passbolt/passbolt-ce-api!341

Author: ishanvyas22

CHANGELOG.md

@@ -2,6 +2,23 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.12.0-test.1] - 2025-03-05
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
+
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format
+
 ## [4.11.1] - 2025-02-17
 ### Security
 - PB-39045 Fix empty fullBaseUrl leading to Host header injection attack

RELEASE_NOTES.md

@@ -1,9 +1,18 @@
-Release song: https://youtu.be/U16Xg_rQZkA?si=cVcmovGWluuo8oYj
+Release song: TBD
 
-Passbolt is pleased to announce the immediate availability of version v4.11.1. This version is a targeted security release of the API focusing on fixing the security issue reported by a security researcher.
+## [4.12.0-test.1] - 2025-03-05
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
 
-We would like to express our appreciation to the community for their assistance in making Passbolt more secure. Further details can be found in [the incident report](https://www.passbolt.com/incidents/host-header-injection-vulnerability).
-
-## [4.11.1] - 2025-02-17
-### Security
-- PB-39045 Fix empty fullBaseUrl leading to Host header injection attack
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format

config/version.php

@@ -1,8 +1,8 @@
 <?php
 return [
     'passbolt' => [
-        'version' => '4.11.1',
-        'name' => 'Rebel Rebel',
+        'version' => '4.12.0-test.1',
+        'name' => 'TBD',
     ],
     'php' => [
         'minVersion' => '7.4',

package-lock.json

@@ -24,7 +24,7 @@
     "jquery": "^3.5.1",
     "lockfile-lint": "^4.14.0",
     "openpgp": "^5.11.1",
-    "passbolt-styleguide": "^4.11.0"
+    "passbolt-styleguide": "^4.12.0"
   },
   "scripts": {
     "lint": "npm run lint:lockfile",

package.json

@@ -29,6 +29,7 @@
 use Passbolt\Metadata\Model\Rule\IsFolderV5ToV4DowngradeAllowedRule;
 use Passbolt\Metadata\Model\Rule\IsMetadataKeyTypeAllowedBySettingsRule;
 use Passbolt\Metadata\Model\Rule\IsMetadataKeyTypeSharedOnSharedItemRule;
+use Passbolt\Metadata\Model\Rule\IsSharedMetadataKeyUniqueActiveRule;
 use Passbolt\Metadata\Model\Rule\IsV4ToV5UpgradeAllowedRule;
 use Passbolt\Metadata\Model\Rule\IsValidEncryptedMetadataRule;
 use Passbolt\Metadata\Model\Rule\MetadataKeyIdExistsInRule;
@@ -127,6 +128,9 @@ public function initialize(array $config): void
                 'FoldersRelations.foreign_model' => 'Resource',
             ],
         ]);
+        $this->belongsTo('MetadataKeys', [
+            'className' => 'Passbolt/Metadata.MetadataKeys',
+        ]);
     }
 
     /**
@@ -259,9 +263,14 @@ public function buildRulesV5(RulesChecker $rules): RulesChecker
             'message' => __('The metadata key is marked as expired.'),
         ]);
 
+        $rules->add(new IsSharedMetadataKeyUniqueActiveRule(), 'isSharedMetadataKeyUniqueActive', [
+            'errorField' => 'metadata_key_id',
+            'message' => __('The shared metadata key should be unique.'),
+        ]);
+
         $rules->add(new IsValidEncryptedMetadataRule(), 'isValidEncryptedMetadata', [
             'errorField' => 'metadata',
-            'message' => __('The resource metadata provided can not be decrypted.'),
+            'message' => __('The folder metadata provided cannot be decrypted.'),
         ]);
 
         $rules->addUpdate(

plugins/PassboltCe/Folders/src/Model/Table/FoldersTable.php

@@ -21,11 +21,13 @@
 use App\Model\Table\PermissionsTable;
 use App\Model\Traits\Query\CaseInsensitiveSearchQueryTrait;
 use Cake\Database\Expression\IdentifierExpression;
+use Cake\Database\Expression\QueryExpression;
 use Cake\ORM\Query;
 use Cake\Validation\Validation;
 use InvalidArgumentException;
 use Passbolt\Folders\Model\Behavior\FolderizableBehavior;
 use Passbolt\Folders\Model\Entity\Folder;
+use Passbolt\Metadata\Model\Entity\MetadataKey;
 
 /**
  * Trait FoldersFindersTrait
@@ -154,6 +156,28 @@ public function findIndex(string $userId, ?array $options = [])
         return $query;
     }
 
+    /**
+     * Returns all folders with expired metadata key.
+     *
+     * @return \Cake\ORM\Query
+     */
+    public function findMetadataRotateKeyIndex(): Query
+    {
+        $query = $this->find();
+
+        return $query
+            ->where([
+                'Folders.metadata_key_type' => MetadataKey::TYPE_SHARED_KEY,
+                $query->newExpr()->isNotNull('Folders.metadata'),
+                $query->newExpr()->isNotNull('Folders.metadata_key_id'),
+            ])
+            ->innerJoin(['MetadataKeys' => 'metadata_keys'], [
+                'MetadataKeys.id' => new IdentifierExpression('Folders.metadata_key_id'),
+                $query->newExpr()->isNotNull('MetadataKeys.expired'),
+            ])
+            ->disableHydration();
+    }
+
     /**
      * Build the query that fetches data for folders view
      *
@@ -259,4 +283,68 @@ public function filterQueryByParentIds(Query $query, array $parentIds): Query
             return $q->where(['OR' => $conditions]);
         });
     }
+
+    /**
+     * Returns all resources in v4 format that need to be upgraded.
+     *
+     * @param array $options query options
+     * @return \Cake\ORM\Query
+     */
+    public function findMetadataUpgradeIndex(array $options): Query
+    {
+        $query = $this->find('v4')->disableHydration();
+
+        $containPermissions = (bool)($options['contain']['permissions'] ?? false);
+        if ($containPermissions) {
+            $query->contain('Permissions');
+        }
+
+        if (!isset($options['filter']['is-shared'])) {
+            return $query;
+        }
+
+        $isShared = $options['filter']['is-shared'];
+        $groupPermissionsCount = $this->Permissions->find()
+            ->select(['permissions_on_groups' => 'COUNT(*)'])
+            ->where([
+                'Permissions.aco_foreign_key' => $query->identifier('Folders.id'),
+                'Permissions.aco' => PermissionsTable::FOLDER_ACO,
+                'Permissions.aro' => PermissionsTable::GROUP_ARO,
+            ]);
+        $userPermissionsCount = $this->Permissions->find()
+            ->select(['permissions_on_users' => 'COUNT(*)'])
+            ->where([
+                'Permissions.aco_foreign_key' => $query->identifier('Folders.id'),
+                'Permissions.aco' => PermissionsTable::FOLDER_ACO,
+                'Permissions.aro' => PermissionsTable::USER_ARO,
+            ]);
+        if ($isShared === true) {
+            // Is shared if at least one permission is a group permission
+            // OR if at least two permissions are user permissions
+            $query->where(function (QueryExpression $exp) use ($groupPermissionsCount, $userPermissionsCount) {
+                return $exp->or(function (QueryExpression $or) use ($groupPermissionsCount, $userPermissionsCount) {
+                    return $or->gte($userPermissionsCount, 2)->gte($groupPermissionsCount, 1);
+                });
+            });
+        } elseif ($isShared === false) {
+            // Is not shared if no permission is a group permission
+            // AND the only permission is a user permission
+            $query->where(function (QueryExpression $exp) use ($groupPermissionsCount, $userPermissionsCount) {
+                return $exp->eq($groupPermissionsCount, 0)->eq($userPermissionsCount, 1);
+            });
+        }
+
+        return $query;
+    }
+
+    /**
+     * @param \Cake\ORM\Query $query Query
+     * @return \Cake\ORM\Query
+     */
+    public function findV4(Query $query): Query
+    {
+        return $query->where([
+            $query->newExpr()->isNull('Folders.metadata'),
+        ]);
+    }
 }

plugins/PassboltCe/Folders/src/Model/Traits/Folders/FoldersFindersTrait.php

@@ -34,6 +34,7 @@
  * @method \Passbolt\Folders\Model\Entity\Folder getEntity()
  * @method \Passbolt\Folders\Model\Entity\Folder[] getEntities()
  * @method static \Passbolt\Folders\Model\Entity\Folder get($primaryKey, array $options = [])
+ * @method static \Passbolt\Folders\Model\Entity\Folder firstOrFail($conditions = null)()
  */
 class FolderFactory extends CakephpBaseFactory
 {

plugins/PassboltCe/Folders/tests/Factory/FolderFactory.php

@@ -101,6 +101,20 @@
                 ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeResourcesPost', 'action' => 'post']
             )
             ->setMethods(['POST']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeFoldersIndex', 'action' => 'index']
+            )
+            ->setMethods(['GET']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeFoldersPost', 'action' => 'post']
+            )
+            ->setMethods(['POST']);
     });
 
     /**
@@ -122,5 +136,19 @@
                 ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyResourcesPost', 'action' => 'post']
             )
             ->setMethods(['POST']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyFoldersIndex', 'action' => 'index']
+            )
+            ->setMethods(['GET']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyFoldersPost', 'action' => 'post']
+            )
+            ->setMethods(['POST']);
     });
 });

plugins/PassboltCe/Metadata/config/routes.php

@@ -34,7 +34,9 @@ class MetadataPaginationComponent extends Component
      *
      * @var array<string, mixed>
      */
-    protected $_defaultConfig = [];
+    protected $_defaultConfig = [
+        'maxLimit' => self::MAX_PAGINATION_LIMIT,
+    ];
 
     /**
      * Overwrites pagination limit with the one defined in configuration
@@ -46,20 +48,37 @@ class MetadataPaginationComponent extends Component
      */
     public function initialize(array $config): void
     {
-        $config = $this->setPaginationOptions($config);
         $this->getController()->loadComponent('ApiPagination', $config);
         $this->getController()->paginate['order'] = $config['order'] ?? [];
         $this->getController()->paginate['limit'] = $config['limit'] ?? [];
-        $this->unsetDisallowedPaginationParams();
+        $this->modifyPaginationOptionsInRequest();
     }
 
     /**
-     * Set pagination options.
+     * Remove/modify pagination query parameters, those are controlled by configuration for security reasons.
      *
-     * @param array $config component configuration
-     * @return array
+     * @return void
+     */
+    private function modifyPaginationOptionsInRequest(): void
+    {
+        $params = $this->getController()->getRequest()->getQueryParams();
+
+        // page is not allowed to be controlled
+        unset($params['page']);
+
+        // limit should be enforced via config
+        $limit = $this->getConfigurationLimit();
+        $params['limit'] = $limit;
+
+        $request = $this->getController()->getRequest()->withQueryParams($params);
+        $this->getController()->setRequest($request);
+    }
+
+    /**
+     * @throws \Cake\Http\Exception\InternalErrorException When config value is invalid.
+     * @return mixed
      */
-    private function setPaginationOptions(array $config): array
+    public function getConfigurationLimit()
     {
         $limit = Configure::read('passbolt.plugins.metadata.defaultPaginationLimit');
 
@@ -70,25 +89,6 @@ private function setPaginationOptions(array $config): array
             throw new InternalErrorException($message);
         }
 
-        $limit = max(min($limit, self::MAX_PAGINATION_LIMIT), self::MIN_PAGINATION_LIMIT);
-
-        return array_merge($config, [
-            'limit' => $limit,
-            'maxLimit' => self::MAX_PAGINATION_LIMIT,
-        ]);
-    }
-
-    /**
-     * Remove pagination query parameters, those are controlled by configuration for security reasons.
-     *
-     * @return void
-     */
-    private function unsetDisallowedPaginationParams(): void
-    {
-        $params = $this->getController()->getRequest()->getQueryParams();
-        unset($params['page']);
-        unset($params['limit']);
-        $request = $this->getController()->getRequest()->withQueryParams($params);
-        $this->getController()->setRequest($request);
+        return max(min($limit, self::MAX_PAGINATION_LIMIT), self::MIN_PAGINATION_LIMIT);
     }
 }