Move OCSAuthAPI to AppFramework

* Convert class
* Convert routes
* Convert tests

1 files changed, 187 insertions, 0 deletions

diff --git a/apps/federation/lib/Controller/OCSAuthAPIController.php b/apps/federation/lib/Controller/OCSAuthAPIController.php
new file mode 100644
index 00000000000..68e0f8b271e
--- /dev/null
+++ b/apps/federation/lib/Controller/OCSAuthAPIController.php
@@ -0,0 +1,187 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ *
+ * @author Björn Schießle <bjoern@schiessle.org>
+ * @author Lukas Reschke <lukas@statuscode.ch>
+ * @author Robin Appelman <robin@icewind.nl>
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+
+namespace OCA\Federation\Controller;
+
+use OCA\Federation\DbHandler;
+use OCA\Federation\TrustedServers;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\OCS\OCSForbiddenException;
+use OCP\AppFramework\OCSController;
+use OCP\BackgroundJob\IJobList;
+use OCP\ILogger;
+use OCP\IRequest;
+use OCP\Security\ISecureRandom;
+
+/**
+ * Class OCSAuthAPI
+ *
+ * OCS API end-points to exchange shared secret between two connected ownClouds
+ *
+ * @package OCA\Federation\Controller
+ */
+class OCSAuthAPIController extends OCSController{
+
+	/** @var ISecureRandom  */
+	private $secureRandom;
+
+	/** @var IJobList */
+	private $jobList;
+
+	/** @var TrustedServers */
+	private $trustedServers;
+
+	/** @var DbHandler */
+	private $dbHandler;
+
+	/** @var ILogger */
+	private $logger;
+
+	/**
+	 * OCSAuthAPI constructor.
+	 *
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param ISecureRandom $secureRandom
+	 * @param IJobList $jobList
+	 * @param TrustedServers $trustedServers
+	 * @param DbHandler $dbHandler
+	 * @param ILogger $logger
+	 */
+	public function __construct(
+		$appName,
+		IRequest $request,
+		ISecureRandom $secureRandom,
+		IJobList $jobList,
+		TrustedServers $trustedServers,
+		DbHandler $dbHandler,
+		ILogger $logger
+	) {
+		parent::__construct($appName, $request);
+
+		$this->secureRandom = $secureRandom;
+		$this->jobList = $jobList;
+		$this->trustedServers = $trustedServers;
+		$this->dbHandler = $dbHandler;
+		$this->logger = $logger;
+	}
+
+	/**
+	 * @NoCSRFRequired
+	 * @PublicPage
+	 *
+	 * request received to ask remote server for a shared secret
+	 *
+	 * @return Http\DataResponse
+	 * @throws OCSForbiddenException
+	 */
+	public function requestSharedSecret() {
+
+		$url = $this->request->getParam('url');
+		$token = $this->request->getParam('token');
+
+		if ($this->trustedServers->isTrustedServer($url) === false) {
+			$this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']);
+			throw new OCSForbiddenException();
+		}
+
+		// if both server initiated the exchange of the shared secret the greater
+		// token wins
+		$localToken = $this->dbHandler->getToken($url);
+		if (strcmp($localToken, $token) > 0) {
+			$this->logger->info(
+				'remote server (' . $url . ') presented lower token. We will initiate the exchange of the shared secret.',
+				['app' => 'federation']
+			);
+			throw new OCSForbiddenException();
+		}
+
+		// we ask for the shared secret so we no longer have to ask the other server
+		// to request the shared secret
+		$this->jobList->remove('OCA\Federation\BackgroundJob\RequestSharedSecret',
+			[
+				'url' => $url,
+				'token' => $localToken
+			]
+		);
+
+		$this->jobList->add(
+			'OCA\Federation\BackgroundJob\GetSharedSecret',
+			[
+				'url' => $url,
+				'token' => $token,
+			]
+		);
+
+		return new Http\DataResponse();
+	}
+
+	/**
+	 * @NoCSRFRequired
+	 * @PublicPage
+	 *
+	 * create shared secret and return it
+	 *
+	 * @return Http\DataResponse
+	 * @throws OCSForbiddenException
+	 */
+	public function getSharedSecret() {
+
+		$url = $this->request->getParam('url');
+		$token = $this->request->getParam('token');
+
+		if ($this->trustedServers->isTrustedServer($url) === false) {
+			$this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']);
+			throw new OCSForbiddenException();
+		}
+
+		if ($this->isValidToken($url, $token) === false) {
+			$expectedToken = $this->dbHandler->getToken($url);
+			$this->logger->error(
+				'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret',
+				['app' => 'federation']
+			);
+			throw new OCSForbiddenException();
+		}
+
+		$sharedSecret = $this->secureRandom->generate(32);
+
+		$this->trustedServers->addSharedSecret($url, $sharedSecret);
+		// reset token after the exchange of the shared secret was successful
+		$this->dbHandler->addToken($url, '');
+
+		return new Http\DataResponse([
+			'sharedSecret' => $sharedSecret
+		]);
+	}
+
+	protected function isValidToken($url, $token) {
+		$storedToken = $this->dbHandler->getToken($url);
+		return hash_equals($storedToken, $token);
+	}
+
+}