|
|
@@ -38,6 +38,7 @@ use OCP\AppFramework\OCSController; |
|
|
|
use OCP\AppFramework\Utility\ITimeFactory; |
|
|
|
use OCP\BackgroundJob\IJobList; |
|
|
|
use OCP\IRequest; |
|
|
|
use OCP\Security\Bruteforce\IThrottler; |
|
|
|
use OCP\Security\ISecureRandom; |
|
|
|
use Psr\Log\LoggerInterface; |
|
|
|
|
|
|
@@ -56,6 +57,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
private DbHandler $dbHandler; |
|
|
|
private LoggerInterface $logger; |
|
|
|
private ITimeFactory $timeFactory; |
|
|
|
private IThrottler $throttler; |
|
|
|
|
|
|
|
public function __construct( |
|
|
|
string $appName, |
|
|
@@ -65,7 +67,8 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
TrustedServers $trustedServers, |
|
|
|
DbHandler $dbHandler, |
|
|
|
LoggerInterface $logger, |
|
|
|
ITimeFactory $timeFactory |
|
|
|
ITimeFactory $timeFactory, |
|
|
|
IThrottler $throttler |
|
|
|
) { |
|
|
|
parent::__construct($appName, $request); |
|
|
|
|
|
|
@@ -75,6 +78,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
$this->dbHandler = $dbHandler; |
|
|
|
$this->logger = $logger; |
|
|
|
$this->timeFactory = $timeFactory; |
|
|
|
$this->throttler = $throttler; |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
@@ -82,6 +86,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
* |
|
|
|
* @NoCSRFRequired |
|
|
|
* @PublicPage |
|
|
|
* @BruteForceProtection(action=federationSharedSecret) |
|
|
|
* |
|
|
|
* @param string $url URL of the server |
|
|
|
* @param string $token Token of the server |
|
|
@@ -100,6 +105,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
* |
|
|
|
* @NoCSRFRequired |
|
|
|
* @PublicPage |
|
|
|
* @BruteForceProtection(action=federationSharedSecret) |
|
|
|
* |
|
|
|
* @param string $url URL of the server |
|
|
|
* @param string $token Token of the server |
|
|
@@ -117,6 +123,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
* |
|
|
|
* @NoCSRFRequired |
|
|
|
* @PublicPage |
|
|
|
* @BruteForceProtection(action=federationSharedSecret) |
|
|
|
* |
|
|
|
* @param string $url URL of the server |
|
|
|
* @param string $token Token of the server |
|
|
@@ -127,6 +134,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
*/ |
|
|
|
public function requestSharedSecret(string $url, string $token): DataResponse { |
|
|
|
if ($this->trustedServers->isTrustedServer($url) === false) { |
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); |
|
|
|
$this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']); |
|
|
|
throw new OCSForbiddenException(); |
|
|
|
} |
|
|
@@ -159,6 +167,7 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
* |
|
|
|
* @NoCSRFRequired |
|
|
|
* @PublicPage |
|
|
|
* @BruteForceProtection(action=federationSharedSecret) |
|
|
|
* |
|
|
|
* @param string $url URL of the server |
|
|
|
* @param string $token Token of the server |
|
|
@@ -169,11 +178,13 @@ class OCSAuthAPIController extends OCSController { |
|
|
|
*/ |
|
|
|
public function getSharedSecret(string $url, string $token): DataResponse { |
|
|
|
if ($this->trustedServers->isTrustedServer($url) === false) { |
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); |
|
|
|
$this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']); |
|
|
|
throw new OCSForbiddenException(); |
|
|
|
} |
|
|
|
|
|
|
|
if ($this->isValidToken($url, $token) === false) { |
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); |
|
|
|
$expectedToken = $this->dbHandler->getToken($url); |
|
|
|
$this->logger->error( |
|
|
|
'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret', |