add 2fa backup codes app

* add backup codes app unit tests
* add integration tests for the backup codes app

5 files changed, 408 insertions, 0 deletions

diff --git a/apps/twofactor_backupcodes/lib/Controller/SettingsController.php b/apps/twofactor_backupcodes/lib/Controller/SettingsController.php
new file mode 100644
index 00000000000..5130357baa5
--- /dev/null
+++ b/apps/twofactor_backupcodes/lib/Controller/SettingsController.php
@@ -0,0 +1,73 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\TwoFactor_BackupCodes\Controller;
+
+use OCA\TwoFactor_BackupCodes\Service\BackupCodeStorage;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IRequest;
+use OCP\IUserSession;
+
+class SettingsController extends Controller {
+
+	/** @var BackupCodeStorage */
+	private $storage;
+
+	/** @var IUserSession */
+	private $userSession;
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param BackupCodeStorage $storage
+	 * @param IUserSession $userSession
+	 */
+	public function __construct($appName, IRequest $request, BackupCodeStorage $storage, IUserSession $userSession) {
+		parent::__construct($appName, $request);
+		$this->userSession = $userSession;
+		$this->storage = $storage;
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @return JSONResponse
+	 */
+	public function state() {
+		$user = $this->userSession->getUser();
+		return $this->storage->getBackupCodesState($user);
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @return JSONResponse
+	 */
+	public function createCodes() {
+		$user = $this->userSession->getUser();
+		$codes = $this->storage->createCodes($user);
+		return [
+		    'codes' => $codes,
+		    'state' => $this->storage->getBackupCodesState($user),
+		];
+	}
+
+}
diff --git a/apps/twofactor_backupcodes/lib/Db/BackupCode.php b/apps/twofactor_backupcodes/lib/Db/BackupCode.php
new file mode 100644
index 00000000000..5bfb681063c
--- /dev/null
+++ b/apps/twofactor_backupcodes/lib/Db/BackupCode.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\TwoFactor_BackupCodes\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method string getUserId()
+ * @method void setUserId(string $userId)
+ * @method string getCode()
+ * @method void setCode(string $code)
+ * @method int getUsed()
+ * @method void setUsed(int $code)
+ */
+class BackupCode extends Entity {
+
+	/** @var string */
+	protected $userId;
+
+	/** @var string */
+	protected $code;
+
+	/** @var int */
+	protected $used;
+
+}
diff --git a/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php b/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
new file mode 100644
index 00000000000..d6256929675
--- /dev/null
+++ b/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
@@ -0,0 +1,66 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\TwoFactor_BackupCodes\Db;
+
+use OCP\AppFramework\Db\Mapper;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDb;
+use OCP\IUser;
+
+class BackupCodeMapper extends Mapper {
+
+	public function __construct(IDb $db) {
+		parent::__construct($db, 'twofactor_backup_codes');
+	}
+
+	/**
+	 * @param IUser $user
+	 * @return BackupCode[]
+	 */
+	public function getBackupCodes(IUser $user) {
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('id', 'user_id', 'code', 'used')
+			->from('twofactor_backup_codes')
+			->where($qb->expr()->eq('user_id', $qb->createNamedParameter($user->getUID())));
+		$result = $qb->execute();
+
+		$rows = $result->fetchAll();
+		$result->closeCursor();
+
+		return array_map(function ($row) {
+			return BackupCode::fromRow($row);
+		}, $rows);
+	}
+
+	public function deleteCodes(IUser $user) {
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->delete('twofactor_backup_codes')
+			->where($qb->expr()->eq('user_id', $qb->createNamedParameter($user->getUID())));
+		$qb->execute();
+	}
+
+}
diff --git a/apps/twofactor_backupcodes/lib/Provider/BackupCodesProvider.php b/apps/twofactor_backupcodes/lib/Provider/BackupCodesProvider.php
new file mode 100644
index 00000000000..91975dfad8d
--- /dev/null
+++ b/apps/twofactor_backupcodes/lib/Provider/BackupCodesProvider.php
@@ -0,0 +1,102 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\TwoFactor_BackupCodes\Provider;
+
+use OCA\TwoFactor_BackupCodes\Service\BackupCodeStorage;
+use OCP\Authentication\TwoFactorAuth\IProvider;
+use OCP\IL10N;
+use OCP\IUser;
+use OCP\Template;
+
+class BackupCodesProvider implements IProvider {
+
+	/** @var BackupCodeStorage */
+	private $storage;
+
+	/** @var IL10N */
+	private $l10n;
+
+	public function __construct(BackupCodeStorage $storage, IL10N $l10n) {
+		$this->l10n = $l10n;
+		$this->storage = $storage;
+	}
+
+	/**
+	 * Get unique identifier of this 2FA provider
+	 *
+	 * @return string
+	 */
+	public function getId() {
+		return 'backup_codes';
+	}
+
+	/**
+	 * Get the display name for selecting the 2FA provider
+	 *
+	 * @return string
+	 */
+	public function getDisplayName() {
+		return $this->l10n->t('Backup code');
+	}
+
+	/**
+	 * Get the description for selecting the 2FA provider
+	 *
+	 * @return string
+	 */
+	public function getDescription() {
+		return $this->l10n->t('Use backup code');
+	}
+
+	/**
+	 * Get the template for rending the 2FA provider view
+	 *
+	 * @param IUser $user
+	 * @return Template
+	 */
+	public function getTemplate(IUser $user) {
+		$tmpl = new Template('twofactor_backupcodes', 'challenge');
+		return $tmpl;
+	}
+
+	/**
+	 * Verify the given challenge
+	 *
+	 * @param IUser $user
+	 * @param string $challenge
+	 */
+	public function verifyChallenge(IUser $user, $challenge) {
+		return $this->storage->validateCode($user, $challenge);
+	}
+
+	/**
+	 * Decides whether 2FA is enabled for the given user
+	 *
+	 * @param IUser $user
+	 * @return boolean
+	 */
+	public function isTwoFactorAuthEnabledForUser(IUser $user) {
+		return $this->storage->hasBackupCodes($user);
+	}
+
+}
diff --git a/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php b/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
new file mode 100644
index 00000000000..9c78581255f
--- /dev/null
+++ b/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
@@ -0,0 +1,121 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\TwoFactor_BackupCodes\Service;
+
+use OCA\TwoFactor_BackupCodes\Db\BackupCode;
+use OCA\TwoFactor_BackupCodes\Db\BackupCodeMapper;
+use OCP\IUser;
+use OCP\Security\IHasher;
+use OCP\Security\ISecureRandom;
+
+class BackupCodeStorage {
+
+	/** @var BackupCodeMapper */
+	private $mapper;
+
+	/** @var IHasher */
+	private $hasher;
+
+	/** @var ISecureRandom */
+	private $random;
+
+	public function __construct(BackupCodeMapper $mapper, ISecureRandom $random, IHasher $hasher) {
+		$this->mapper = $mapper;
+		$this->hasher = $hasher;
+		$this->random = $random;
+	}
+
+	/**
+	 * @param IUser $user
+	 * @return string[]
+	 */
+	public function createCodes(IUser $user, $number = 10) {
+		$result = [];
+
+		// Delete existing ones
+		$this->mapper->deleteCodes($user);
+
+		$uid = $user->getUID();
+		foreach (range(1, min([$number, 20])) as $i) {
+			$code = $this->random->generate(10, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
+
+			$dbCode = new BackupCode();
+			$dbCode->setUserId($uid);
+			$dbCode->setCode($this->hasher->hash($code));
+			$dbCode->setUsed(0);
+			$this->mapper->insert($dbCode);
+
+			array_push($result, $code);
+		}
+
+		return $result;
+	}
+
+	/**
+	 * @param IUser $user
+	 * @return bool
+	 */
+	public function hasBackupCodes(IUser $user) {
+		$codes = $this->mapper->getBackupCodes($user);
+		return count($codes) > 0;
+	}
+
+	/**
+	 * @param IUser $user
+	 * @return array
+	 */
+	public function getBackupCodesState(IUser $user) {
+		$codes = $this->mapper->getBackupCodes($user);
+		$total = count($codes);
+		$used = 0;
+		array_walk($codes, function (BackupCode $code) use (&$used) {
+			if (1 === (int) $code->getUsed()) {
+				$used++;
+			}
+		});
+		return [
+			'enabled' => $total > 0,
+			'total' => $total,
+			'used' => $used,
+		];
+	}
+
+	/**
+	 * @param IUser $user
+	 * @param string $code
+	 * @return bool
+	 */
+	public function validateCode(IUser $user, $code) {
+		$dbCodes = $this->mapper->getBackupCodes($user);
+
+		foreach ($dbCodes as $dbCode) {
+			if (0 === (int) $dbCode->getUsed() && $this->hasher->verify($code, $dbCode->getCode())) {
+				$dbCode->setUsed(1);
+				$this->mapper->update($dbCode);
+				return true;
+			}
+		}
+		return false;
+	}
+
+}