diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2016-12-05 22:29:29 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-05 22:29:29 +0100 |
| commit | aac3024878dd97ead2b627b963dba6d7dffc049f (patch) | |
| tree | 00b7d4e3f42be8fe6e64a44bb88a188b74b4a8b0 | |
| parent | ea4baa626984f893d7098f540ff4e929bd12ce6f (diff) | |
| parent | e368a745aa5f9eb53327b2875d9fade8b4e8398b (diff) | |
| download | nextcloud-server-aac3024878dd97ead2b627b963dba6d7dffc049f.tar.gz nextcloud-server-aac3024878dd97ead2b627b963dba6d7dffc049f.zip | |
Merge pull request #2505 from nextcloud/sudo-mode-provisioning-api
Require sudo mode on the provisioning API
| -rw-r--r-- | apps/provisioning_api/lib/Controller/AppsController.php | 6 | ||||
| -rw-r--r-- | apps/provisioning_api/lib/Controller/GroupsController.php | 4 | ||||
| -rw-r--r-- | apps/provisioning_api/lib/Controller/UsersController.php | 21 | ||||
| -rw-r--r-- | lib/private/User/Session.php | 5 | ||||
| -rw-r--r-- | tests/lib/User/SessionTest.php | 101 |
5 files changed, 130 insertions, 7 deletions
diff --git a/apps/provisioning_api/lib/Controller/AppsController.php b/apps/provisioning_api/lib/Controller/AppsController.php index 7d11d92b55a..e384d5af907 100644 --- a/apps/provisioning_api/lib/Controller/AppsController.php +++ b/apps/provisioning_api/lib/Controller/AppsController.php @@ -25,12 +25,10 @@ namespace OCA\Provisioning_API\Controller; -use OC\OCSClient; use \OC_App; use OCP\App\IAppManager; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSException; -use OCP\AppFramework\OCS\OCSNotFoundException; use OCP\AppFramework\OCSController; use OCP\IRequest; @@ -86,7 +84,7 @@ class AppsController extends OCSController { /** * @param string $app * @return DataResponse - * @throws OCSNotFoundException + * @throws OCSException */ public function getAppInfo($app) { $info = \OCP\App::getAppInfo($app); @@ -98,6 +96,7 @@ class AppsController extends OCSController { } /** + * @PasswordConfirmationRequired * @param string $app * @return DataResponse */ @@ -107,6 +106,7 @@ class AppsController extends OCSController { } /** + * @PasswordConfirmationRequired * @param string $app * @return DataResponse */ diff --git a/apps/provisioning_api/lib/Controller/GroupsController.php b/apps/provisioning_api/lib/Controller/GroupsController.php index d36d0de8997..c772076c3d1 100644 --- a/apps/provisioning_api/lib/Controller/GroupsController.php +++ b/apps/provisioning_api/lib/Controller/GroupsController.php @@ -128,7 +128,7 @@ class GroupsController extends OCSController { /** * creates a new group * - * @NoAdminRequired + * @PasswordConfirmationRequired * * @param string $groupid * @return DataResponse @@ -149,6 +149,8 @@ class GroupsController extends OCSController { } /** + * @PasswordConfirmationRequired + * * @param string $groupId * @return DataResponse * @throws OCSException diff --git a/apps/provisioning_api/lib/Controller/UsersController.php b/apps/provisioning_api/lib/Controller/UsersController.php index 8e5975468b1..cc1d63d2d34 100644 --- a/apps/provisioning_api/lib/Controller/UsersController.php +++ b/apps/provisioning_api/lib/Controller/UsersController.php @@ -93,6 +93,7 @@ class UsersController extends OCSController { */ public function getUsers($search = '', $limit = null, $offset = null) { $user = $this->userSession->getUser(); + $users = []; // Admin? Or SubAdmin? $uid = $user->getUID(); @@ -125,6 +126,7 @@ class UsersController extends OCSController { } /** + * @PasswordConfirmationRequired * @NoAdminRequired * * @param string $userid @@ -218,6 +220,7 @@ class UsersController extends OCSController { /** * @NoAdminRequired * @NoSubAdminRequired + * @PasswordConfirmationRequired * * edit users * @@ -308,6 +311,7 @@ class UsersController extends OCSController { } /** + * @PasswordConfirmationRequired * @NoAdminRequired * * @param string $userId @@ -339,20 +343,26 @@ class UsersController extends OCSController { } /** + * @PasswordConfirmationRequired * @NoAdminRequired * * @param string $userId * @return DataResponse + * @throws OCSException + * @throws OCSForbiddenException */ public function disableUser($userId) { return $this->setEnabled($userId, false); } /** + * @PasswordConfirmationRequired * @NoAdminRequired * * @param string $userId * @return DataResponse + * @throws OCSException + * @throws OCSForbiddenException */ public function enableUser($userId) { return $this->setEnabled($userId, true); @@ -390,8 +400,7 @@ class UsersController extends OCSController { * * @param string $userId * @return DataResponse - * @throws OCSForbiddenException - * @throws OCSNotFoundException + * @throws OCSException */ public function getUsersGroups($userId) { $loggedInUser = $this->userSession->getUser(); @@ -430,6 +439,7 @@ class UsersController extends OCSController { } /** + * @PasswordConfirmationRequired * @param string $userId * @param string $groupid * @return DataResponse @@ -455,9 +465,10 @@ class UsersController extends OCSController { } /** + * @PasswordConfirmationRequired * @NoAdminRequired * - * @param string userId + * @param string $userId * @param string $groupid * @return DataResponse * @throws OCSException @@ -511,6 +522,8 @@ class UsersController extends OCSController { /** * Creates a subadmin * + * @PasswordConfirmationRequired + * * @param string $userId * @param string $groupid * @return DataResponse @@ -550,6 +563,8 @@ class UsersController extends OCSController { /** * Removes a subadmin from a group * + * @PasswordConfirmationRequired + * * @param string $userId * @param string $groupid * @return DataResponse diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index c3561cf64e3..dcda825b9db 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -423,6 +423,7 @@ class Session implements IUserSession, Emitter { * * @todo do not allow basic auth if the user is 2FA enforced * @param IRequest $request + * @param OC\Security\Bruteforce\Throttler $throttler * @return boolean if the login was successful */ public function tryBasicAuthLogin(IRequest $request, @@ -440,6 +441,10 @@ class Session implements IUserSession, Emitter { $this->session->set( Auth::DAV_AUTHENTICATED, $this->getUser()->getUID() ); + + // Set the last-password-confirm session to make the sudo mode work + $this->session->set('last-password-confirm', $this->timeFacory->getTime()); + return true; } } catch (PasswordLoginForbiddenException $ex) { diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 78b673d10bd..27cb92d6732 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -8,6 +8,7 @@ namespace Test\User; +use OC\AppFramework\Http\Request; use OC\Authentication\Token\DefaultTokenMapper; use OC\Authentication\Token\DefaultTokenProvider; use OC\Authentication\Token\IProvider; @@ -17,6 +18,7 @@ use OC\Session\Memory; use OC\User\Manager; use OC\User\Session; use OC\User\User; +use OCA\DAV\Connector\Sabre\Auth; use OCP\AppFramework\Utility\ITimeFactory; use OCP\IConfig; use OCP\ILogger; @@ -1219,4 +1221,103 @@ class SessionTest extends \Test\TestCase { $this->userSession->createRememberMeToken($user); } + + public function testTryBasicAuthLoginValid() { + $request = $this->createMock(Request::class); + $request->method('__get') + ->willReturn([ + 'PHP_AUTH_USER' => 'username', + 'PHP_AUTH_PW' => 'password', + ]); + $request->method('__isset') + ->with('server') + ->willReturn(true); + + $davAuthenticatedSet = false; + $lastPasswordConfirmSet = false; + + $this->session + ->method('set') + ->will($this->returnCallback(function($k, $v) use (&$davAuthenticatedSet, &$lastPasswordConfirmSet) { + switch ($k) { + case Auth::DAV_AUTHENTICATED: + $davAuthenticatedSet = $v; + return; + case 'last-password-confirm': + $lastPasswordConfirmSet = 1000; + return; + default: + throw new \Exception(); + } + })); + + $userSession = $this->getMockBuilder(Session::class) + ->setConstructorArgs([ + $this->manager, + $this->session, + $this->timeFactory, + $this->tokenProvider, + $this->config, + $this->random, + ]) + ->setMethods([ + 'logClientIn', + 'getUser', + ]) + ->getMock(); + + /** @var Session|\PHPUnit_Framework_MockObject_MockObject */ + $userSession->expects($this->once()) + ->method('logClientIn') + ->with( + $this->equalTo('username'), + $this->equalTo('password'), + $this->equalTo($request), + $this->equalTo($this->throttler) + )->willReturn(true); + + $user = $this->createMock(IUser::class); + $user->method('getUID')->willReturn('username'); + + $userSession->expects($this->once()) + ->method('getUser') + ->willReturn($user); + + $this->assertTrue($userSession->tryBasicAuthLogin($request, $this->throttler)); + + $this->assertSame('username', $davAuthenticatedSet); + $this->assertSame(1000, $lastPasswordConfirmSet); + } + + public function testTryBasicAuthLoginNoLogin() { + $request = $this->createMock(Request::class); + $request->method('__get') + ->willReturn([]); + $request->method('__isset') + ->with('server') + ->willReturn(true); + + $this->session->expects($this->never()) + ->method($this->anything()); + + $userSession = $this->getMockBuilder(Session::class) + ->setConstructorArgs([ + $this->manager, + $this->session, + $this->timeFactory, + $this->tokenProvider, + $this->config, + $this->random, + ]) + ->setMethods([ + 'logClientIn', + ]) + ->getMock(); + + /** @var Session|\PHPUnit_Framework_MockObject_MockObject */ + $userSession->expects($this->never()) + ->method('logClientIn'); + + $this->assertFalse($userSession->tryBasicAuthLogin($request, $this->throttler)); + } } |