mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 997 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65867 Commits
369 Branches
Tree: 9369b67df3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9369b67df3'
${ noResults }
nextcloud/core/Controller/ClientFlowLoginController.php

ClientFlowLoginController.php 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>

  4.  *

  5.  * @author Bjoern Schiessle <bjoern@schiessle.org>

  6.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  7.  * @author Daniel Kesselberg <mail@danielkesselberg.de>

  8.  * @author Joas Schilling <coding@schilljs.com>

  9.  * @author Lukas Reschke <lukas@statuscode.ch>

  10.  * @author Mario Danic <mario@lovelyhq.com>

  11.  * @author Morris Jobke <hey@morrisjobke.de>

  12.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  13.  * @author RussellAult <RussellAult@users.noreply.github.com>

  14.  * @author Sergej Nikolaev <kinolaev@gmail.com>

  15.  *

  16.  * @license GNU AGPL version 3 or any later version

  17.  *

  18.  * This program is free software: you can redistribute it and/or modify

  19.  * it under the terms of the GNU Affero General Public License as

  20.  * published by the Free Software Foundation, either version 3 of the

  21.  * License, or (at your option) any later version.

  22.  *

  23.  * This program is distributed in the hope that it will be useful,

  24.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  25.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  26.  * GNU Affero General Public License for more details.

  27.  *

  28.  * You should have received a copy of the GNU Affero General Public License

  29.  * along with this program. If not, see <http://www.gnu.org/licenses/>.

  30.  *

  31.  */

  32. namespace OC\Core\Controller;

  33. 

  34. use OC\Authentication\Events\AppPasswordCreatedEvent;

  35. use OC\Authentication\Exceptions\InvalidTokenException;

  36. use OC\Authentication\Exceptions\PasswordlessTokenException;

  37. use OC\Authentication\Token\IProvider;

  38. use OC\Authentication\Token\IToken;

  39. use OCA\OAuth2\Db\AccessToken;

  40. use OCA\OAuth2\Db\AccessTokenMapper;

  41. use OCA\OAuth2\Db\ClientMapper;

  42. use OCP\AppFramework\Controller;

  43. use OCP\AppFramework\Http;

  44. use OCP\AppFramework\Http\Response;

  45. use OCP\AppFramework\Http\StandaloneTemplateResponse;

  46. use OCP\Defaults;

  47. use OCP\EventDispatcher\IEventDispatcher;

  48. use OCP\IL10N;

  49. use OCP\IRequest;

  50. use OCP\ISession;

  51. use OCP\IURLGenerator;

  52. use OCP\IUser;

  53. use OCP\IUserSession;

  54. use OCP\Security\ICrypto;

  55. use OCP\Security\ISecureRandom;

  56. use OCP\Session\Exceptions\SessionNotAvailableException;

  57. 

  58. class ClientFlowLoginController extends Controller {

  59. 	private IUserSession $userSession;

  60. 	private IL10N $l10n;

  61. 	private Defaults $defaults;

  62. 	private ISession $session;

  63. 	private IProvider $tokenProvider;

  64. 	private ISecureRandom $random;

  65. 	private IURLGenerator $urlGenerator;

  66. 	private ClientMapper $clientMapper;

  67. 	private AccessTokenMapper $accessTokenMapper;

  68. 	private ICrypto $crypto;

  69. 	private IEventDispatcher $eventDispatcher;

  70. 

  71. 	public const STATE_NAME = 'client.flow.state.token';

  72. 

  73. 	public function __construct(string $appName,

  74. 								IRequest $request,

  75. 								IUserSession $userSession,

  76. 								IL10N $l10n,

  77. 								Defaults $defaults,

  78. 								ISession $session,

  79. 								IProvider $tokenProvider,

  80. 								ISecureRandom $random,

  81. 								IURLGenerator $urlGenerator,

  82. 								ClientMapper $clientMapper,

  83. 								AccessTokenMapper $accessTokenMapper,

  84. 								ICrypto $crypto,

  85. 								IEventDispatcher $eventDispatcher) {

  86. 		parent::__construct($appName, $request);

  87. 		$this->userSession = $userSession;

  88. 		$this->l10n = $l10n;

  89. 		$this->defaults = $defaults;

  90. 		$this->session = $session;

  91. 		$this->tokenProvider = $tokenProvider;

  92. 		$this->random = $random;

  93. 		$this->urlGenerator = $urlGenerator;

  94. 		$this->clientMapper = $clientMapper;

  95. 		$this->accessTokenMapper = $accessTokenMapper;

  96. 		$this->crypto = $crypto;

  97. 		$this->eventDispatcher = $eventDispatcher;

  98. 	}

  99. 

  100. 	private function getClientName(): string {

  101. 		$userAgent = $this->request->getHeader('USER_AGENT');

  102. 		return $userAgent !== '' ? $userAgent : 'unknown';

  103. 	}

  104. 

  105. 	private function isValidToken(string $stateToken): bool {

  106. 		$currentToken = $this->session->get(self::STATE_NAME);

  107. 		if (!is_string($currentToken)) {

  108. 			return false;

  109. 		}

  110. 		return hash_equals($currentToken, $stateToken);

  111. 	}

  112. 

  113. 	private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {

  114. 		$response = new StandaloneTemplateResponse(

  115. 			$this->appName,

  116. 			'403',

  117. 			[

  118. 				'message' => $this->l10n->t('State token does not match'),

  119. 			],

  120. 			'guest'

  121. 		);

  122. 		$response->setStatus(Http::STATUS_FORBIDDEN);

  123. 		return $response;

  124. 	}

  125. 

  126. 	/**

  127. 	 * @PublicPage

  128. 	 * @NoCSRFRequired

  129. 	 * @UseSession

  130. 	 */

  131. 	public function showAuthPickerPage(string $clientIdentifier = '', string $user = '', int $direct = 0): StandaloneTemplateResponse {

  132. 		$clientName = $this->getClientName();

  133. 		$client = null;

  134. 		if ($clientIdentifier !== '') {

  135. 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);

  136. 			$clientName = $client->getName();

  137. 		}

  138. 

  139. 		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)

  140. 		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');

  141. 		if ($clientRequest !== 'true' && $client === null) {

  142. 			return new StandaloneTemplateResponse(

  143. 				$this->appName,

  144. 				'error',

  145. 				[

  146. 					'errors' =>

  147. 					[

  148. 						[

  149. 							'error' => 'Access Forbidden',

  150. 							'hint' => 'Invalid request',

  151. 						],

  152. 					],

  153. 				],

  154. 				'guest'

  155. 			);

  156. 		}

  157. 

  158. 		$stateToken = $this->random->generate(

  159. 			64,

  160. 			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS

  161. 		);

  162. 		$this->session->set(self::STATE_NAME, $stateToken);

  163. 

  164. 		$csp = new Http\ContentSecurityPolicy();

  165. 		if ($client) {

  166. 			$csp->addAllowedFormActionDomain($client->getRedirectUri());

  167. 		} else {

  168. 			$csp->addAllowedFormActionDomain('nc://*');

  169. 		}

  170. 

  171. 		$response = new StandaloneTemplateResponse(

  172. 			$this->appName,

  173. 			'loginflow/authpicker',

  174. 			[

  175. 				'client' => $clientName,

  176. 				'clientIdentifier' => $clientIdentifier,

  177. 				'instanceName' => $this->defaults->getName(),

  178. 				'urlGenerator' => $this->urlGenerator,

  179. 				'stateToken' => $stateToken,

  180. 				'serverHost' => $this->getServerPath(),

  181. 				'oauthState' => $this->session->get('oauth.state'),

  182. 				'user' => $user,

  183. 				'direct' => $direct,

  184. 			],

  185. 			'guest'

  186. 		);

  187. 

  188. 		$response->setContentSecurityPolicy($csp);

  189. 		return $response;

  190. 	}

  191. 

  192. 	/**

  193. 	 * @NoAdminRequired

  194. 	 * @NoCSRFRequired

  195. 	 * @NoSameSiteCookieRequired

  196. 	 * @UseSession

  197. 	 */

  198. 	public function grantPage(string $stateToken = '',

  199. 				  string $clientIdentifier = '',

  200. 				  int $direct = 0): StandaloneTemplateResponse {

  201. 		if (!$this->isValidToken($stateToken)) {

  202. 			return $this->stateTokenForbiddenResponse();

  203. 		}

  204. 

  205. 		$clientName = $this->getClientName();

  206. 		$client = null;

  207. 		if ($clientIdentifier !== '') {

  208. 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);

  209. 			$clientName = $client->getName();

  210. 		}

  211. 

  212. 		$csp = new Http\ContentSecurityPolicy();

  213. 		if ($client) {

  214. 			$csp->addAllowedFormActionDomain($client->getRedirectUri());

  215. 		} else {

  216. 			$csp->addAllowedFormActionDomain('nc://*');

  217. 		}

  218. 

  219. 		/** @var IUser $user */

  220. 		$user = $this->userSession->getUser();

  221. 

  222. 		$response = new StandaloneTemplateResponse(

  223. 			$this->appName,

  224. 			'loginflow/grant',

  225. 			[

  226. 				'userId' => $user->getUID(),

  227. 				'userDisplayName' => $user->getDisplayName(),

  228. 				'client' => $clientName,

  229. 				'clientIdentifier' => $clientIdentifier,

  230. 				'instanceName' => $this->defaults->getName(),

  231. 				'urlGenerator' => $this->urlGenerator,

  232. 				'stateToken' => $stateToken,

  233. 				'serverHost' => $this->getServerPath(),

  234. 				'oauthState' => $this->session->get('oauth.state'),

  235. 				'direct' => $direct,

  236. 			],

  237. 			'guest'

  238. 		);

  239. 

  240. 		$response->setContentSecurityPolicy($csp);

  241. 		return $response;

  242. 	}

  243. 

  244. 	/**

  245. 	 * @NoAdminRequired

  246. 	 * @UseSession

  247. 	 *

  248. 	 * @return Http\RedirectResponse|Response

  249. 	 */

  250. 	public function generateAppPassword(string $stateToken,

  251. 										string $clientIdentifier = '') {

  252. 		if (!$this->isValidToken($stateToken)) {

  253. 			$this->session->remove(self::STATE_NAME);

  254. 			return $this->stateTokenForbiddenResponse();

  255. 		}

  256. 

  257. 		$this->session->remove(self::STATE_NAME);

  258. 

  259. 		try {

  260. 			$sessionId = $this->session->getId();

  261. 		} catch (SessionNotAvailableException $ex) {

  262. 			$response = new Response();

  263. 			$response->setStatus(Http::STATUS_FORBIDDEN);

  264. 			return $response;

  265. 		}

  266. 

  267. 		try {

  268. 			$sessionToken = $this->tokenProvider->getToken($sessionId);

  269. 			$loginName = $sessionToken->getLoginName();

  270. 			try {

  271. 				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);

  272. 			} catch (PasswordlessTokenException $ex) {

  273. 				$password = null;

  274. 			}

  275. 		} catch (InvalidTokenException $ex) {

  276. 			$response = new Response();

  277. 			$response->setStatus(Http::STATUS_FORBIDDEN);

  278. 			return $response;

  279. 		}

  280. 

  281. 		$clientName = $this->getClientName();

  282. 		$client = false;

  283. 		if ($clientIdentifier !== '') {

  284. 			$client = $this->clientMapper->getByIdentifier($clientIdentifier);

  285. 			$clientName = $client->getName();

  286. 		}

  287. 

  288. 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

  289. 		$uid = $this->userSession->getUser()->getUID();

  290. 		$generatedToken = $this->tokenProvider->generateToken(

  291. 			$token,

  292. 			$uid,

  293. 			$loginName,

  294. 			$password,

  295. 			$clientName,

  296. 			IToken::PERMANENT_TOKEN,

  297. 			IToken::DO_NOT_REMEMBER

  298. 		);

  299. 

  300. 		if ($client) {

  301. 			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

  302. 			$accessToken = new AccessToken();

  303. 			$accessToken->setClientId($client->getId());

  304. 			$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));

  305. 			$accessToken->setHashedCode(hash('sha512', $code));

  306. 			$accessToken->setTokenId($generatedToken->getId());

  307. 			$this->accessTokenMapper->insert($accessToken);

  308. 

  309. 			$redirectUri = $client->getRedirectUri();

  310. 

  311. 			if (parse_url($redirectUri, PHP_URL_QUERY)) {

  312. 				$redirectUri .= '&';

  313. 			} else {

  314. 				$redirectUri .= '?';

  315. 			}

  316. 

  317. 			$redirectUri .= sprintf(

  318. 				'state=%s&code=%s',

  319. 				urlencode($this->session->get('oauth.state')),

  320. 				urlencode($code)

  321. 			);

  322. 			$this->session->remove('oauth.state');

  323. 		} else {

  324. 			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);

  325. 

  326. 			// Clear the token from the login here

  327. 			$this->tokenProvider->invalidateToken($sessionId);

  328. 		}

  329. 

  330. 		$this->eventDispatcher->dispatchTyped(

  331. 			new AppPasswordCreatedEvent($generatedToken)

  332. 		);

  333. 

  334. 		return new Http\RedirectResponse($redirectUri);

  335. 	}

  336. 

  337. 	/**

  338. 	 * @PublicPage

  339. 	 */

  340. 	public function apptokenRedirect(string $stateToken, string $user, string $password): Response {

  341. 		if (!$this->isValidToken($stateToken)) {

  342. 			return $this->stateTokenForbiddenResponse();

  343. 		}

  344. 

  345. 		try {

  346. 			$token = $this->tokenProvider->getToken($password);

  347. 			if ($token->getLoginName() !== $user) {

  348. 				throw new InvalidTokenException('login name does not match');

  349. 			}

  350. 		} catch (InvalidTokenException $e) {

  351. 			$response = new StandaloneTemplateResponse(

  352. 				$this->appName,

  353. 				'403',

  354. 				[

  355. 					'message' => $this->l10n->t('Invalid app password'),

  356. 				],

  357. 				'guest'

  358. 			);

  359. 			$response->setStatus(Http::STATUS_FORBIDDEN);

  360. 			return $response;

  361. 		}

  362. 

  363. 		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);

  364. 		return new Http\RedirectResponse($redirectUri);

  365. 	}

  366. 

  367. 	private function getServerPath(): string {

  368. 		$serverPostfix = '';

  369. 

  370. 		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {

  371. 			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));

  372. 		} elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {

  373. 			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));

  374. 		}

  375. 

  376. 		$protocol = $this->request->getServerProtocol();

  377. 

  378. 		if ($protocol !== "https") {

  379. 			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');

  380. 			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');

  381. 			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {

  382. 				$protocol = 'https';

  383. 			}

  384. 		}

  385. 

  386. 		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;

  387. 	}

  388. }