Merge remote-tracking branch 'nextcloud/master'

Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>

6 files changed, 117 insertions, 36 deletions

diff --git a/core/Controller/CssController.php b/core/Controller/CssController.php
new file mode 100644
index 00000000000..1206c95a5b8
--- /dev/null
+++ b/core/Controller/CssController.php
@@ -0,0 +1,79 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016, John Molakvoæ (skjnldsv@protonmail.com)
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Core\Controller;
+
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\NotFoundResponse;
+use OCP\AppFramework\Http\FileDisplayResponse;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Files\IAppData;
+use OCP\Files\NotFoundException;
+use OCP\IRequest;
+
+class CssController extends Controller {
+
+	/** @var IAppData */
+	protected $appData;
+
+	/** @var ITimeFactory */
+	protected $timeFactory;
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param IAppData $appData
+	 * @param ITimeFactory $timeFactory
+	 */
+	public function __construct($appName, IRequest $request, IAppData $appData, ITimeFactory $timeFactory) {
+		parent::__construct($appName, $request);
+
+		$this->appData = $appData;
+		$this->timeFactory = $timeFactory;
+	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 *
+	 * @param string $fileName css filename with extension
+	 * @param string $appName css folder name
+	 * @return FileDisplayResponse|NotFoundResponse
+	 */
+	public function getCss($fileName, $appName) {
+		try {
+			$folder = $this->appData->getFolder($appName);
+			$cssFile = $folder->getFile($fileName);
+		} catch(NotFoundException $e) {
+			return new NotFoundResponse();
+		}
+
+		$response = new FileDisplayResponse($cssFile, Http::STATUS_OK, ['Content-Type' => 'text/css']);
+		$response->cacheFor(86400);
+		$expires = new \DateTime();
+		$expires->setTimestamp($this->timeFactory->getTime());
+		$expires->add(new \DateInterval('PT24H'));
+		$response->addHeader('Expires', $expires->format(\DateTime::RFC1123));
+		$response->addHeader('Pragma', 'cache');
+		return $response;
+	}
+}
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 92ea3014ba2..c0e7be280b8 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -160,7 +160,6 @@ class LoginController extends Controller {
 		}
 
 		$parameters['alt_login'] = OC_App::getAlternativeLogIns();
-		$parameters['rememberLoginAllowed'] = OC_Util::rememberLoginAllowed();
 		$parameters['rememberLoginState'] = !empty($remember_login) ? $remember_login : 0;
 
 		if (!is_null($user) && $user !== '') {
@@ -171,6 +170,8 @@ class LoginController extends Controller {
 			$parameters['user_autofocus'] = true;
 		}
 
+		\OC_Util::addStyle('guest');
+
 		return new TemplateResponse(
 			$this->appName, 'login', $parameters, 'guest'
 		);
@@ -206,8 +207,8 @@ class LoginController extends Controller {
 	 * @return RedirectResponse
 	 */
 	public function tryLogin($user, $password, $redirect_url, $remember_login = false, $timezone = '', $timezone_offset = '') {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'login');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 
 		// If the user is already logged in and the CSRF check does not pass then
 		// simply redirect the user to the correct page as required. This is the
@@ -235,7 +236,7 @@ class LoginController extends Controller {
 		if ($loginResult === false) {
 			$this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]);
 			if($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			}
 			$this->session->set('loginMessages', [
 				['invalidpassword'], []
@@ -300,19 +301,15 @@ class LoginController extends Controller {
 	 * @return DataResponse
 	 */
 	public function confirmPassword($password) {
-		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
-		$this->throttler->sleepDelay($this->request->getRemoteAddress());
-
-		$user = $this->userSession->getUser();
-		if (!$user instanceof IUser) {
-			return new DataResponse([], Http::STATUS_UNAUTHORIZED);
-		}
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress(), 'sudo');
+		$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 
-		$loginResult = $this->userManager->checkPassword($user->getUID(), $password);
+		$loginName = $this->userSession->getLoginName();
+		$loginResult = $this->userManager->checkPassword($loginName, $password);
 		if ($loginResult === false) {
-			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $user->getUID()]);
+			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $loginName]);
 			if ($currentDelay === 0) {
-				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+				$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'sudo');
 			}
 
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 01c107e8326..8a8a50343ed 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -30,6 +30,7 @@
 
 namespace OC\Core\Controller;
 
+use OCA\Encryption\Exceptions\PrivateKeyMissingException;
 use \OCP\AppFramework\Controller;
 use \OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -154,7 +155,7 @@ class LostController extends Controller {
 	 * @param string $userId
 	 * @throws \Exception
 	 */
-	private function checkPasswordResetToken($token, $userId) {
+	protected function checkPasswordResetToken($token, $userId) {
 		$user = $this->userManager->get($userId);
 		if($user === null) {
 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
@@ -201,6 +202,7 @@ class LostController extends Controller {
 
 	/**
 	 * @PublicPage
+	 * @BruteForceProtection passwordResetEmail
 	 *
 	 * @param string $user
 	 * @return array
@@ -233,6 +235,8 @@ class LostController extends Controller {
 			$this->checkPasswordResetToken($token, $userId);
 			$user = $this->userManager->get($userId);
 
+			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password));
+
 			if (!$user->setPassword($password)) {
 				throw new \Exception();
 			}
diff --git a/core/Controller/OCSController.php b/core/Controller/OCSController.php
index c59b0d7ad3f..1deb5e958bd 100644
--- a/core/Controller/OCSController.php
+++ b/core/Controller/OCSController.php
@@ -106,20 +106,6 @@ class OCSController extends \OCP\AppFramework\OCSController {
 	}
 
 	/**
-	 * @NoAdminRequired
-	 * @return DataResponse
-	 */
-	public function getCurrentUser() {
-		$userObject = $this->userSession->getUser();
-		$data  = [
-			'id' => $userObject->getUID(),
-			'display-name' => $userObject->getDisplayName(),
-			'email' => $userObject->getEMailAddress(),
-		];
-		return new DataResponse($data);
-	}
-
-	/**
 	 * @PublicPage
 	 *
 	 * @param string $login
@@ -128,7 +114,7 @@ class OCSController extends \OCP\AppFramework\OCSController {
 	 */
 	public function personCheck($login = '', $password = '') {
 		if ($login !== '' && $password !== '') {
-			$this->throttler->sleepDelay($this->request->getRemoteAddress());
+			$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'login');
 			if ($this->userManager->checkPassword($login, $password)) {
 				return new DataResponse([
 					'person' => [
diff --git a/core/Controller/SetupController.php b/core/Controller/SetupController.php
index bb7c8c4969d..87508423cd3 100644
--- a/core/Controller/SetupController.php
+++ b/core/Controller/SetupController.php
@@ -92,6 +92,7 @@ class SetupController {
 
 		\OC_Util::addVendorScript('strengthify/jquery.strengthify');
 		\OC_Util::addVendorStyle('strengthify/strengthify');
+		\OC_Util::addStyle('guest');
 		\OC_Util::addScript('setup');
 		\OC_Template::printGuestPage('', 'installation', $parameters);
 	}
diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php
index b2614138123..fd4811d3ff6 100644
--- a/core/Controller/TwoFactorChallengeController.php
+++ b/core/Controller/TwoFactorChallengeController.php
@@ -29,6 +29,7 @@ use OC_Util;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
+use OCP\Authentication\TwoFactorAuth\TwoFactorException;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IURLGenerator;
@@ -115,19 +116,23 @@ class TwoFactorChallengeController extends Controller {
 			$backupProvider = null;
 		}
 
+		$errorMessage = '';
+		$error = false;
 		if ($this->session->exists('two_factor_auth_error')) {
 			$this->session->remove('two_factor_auth_error');
 			$error = true;
-		} else {
-			$error = false;
+			$errorMessage = $this->session->get("two_factor_auth_error_message");
+			$this->session->remove('two_factor_auth_error_message');
 		}
 		$tmpl = $provider->getTemplate($user);
 		$tmpl->assign('redirect_url', $redirect_url);
 		$data = [
 			'error' => $error,
+			'error_message' => $errorMessage,
 			'provider' => $provider,
 			'backupProvider' => $backupProvider,
 			'logout_attribute' => $this->getLogoutAttribute(),
+			'redirect_url' => $redirect_url,
 			'template' => $tmpl->fetchPage(),
 		];
 		return new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
@@ -150,11 +155,20 @@ class TwoFactorChallengeController extends Controller {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
 		}
 
-		if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
-			if (!is_null($redirect_url)) {
-				return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
+		try {
+			if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
+				if (!is_null($redirect_url)) {
+					return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
+				}
+				return new RedirectResponse(OC_Util::getDefaultPageUrl());
 			}
-			return new RedirectResponse(OC_Util::getDefaultPageUrl());
+		} catch (TwoFactorException $e) {
+			/*
+			 * The 2FA App threw an TwoFactorException. Now we display more
+			 * information to the user. The exception text is stored in the
+			 * session to be used in showChallenge()
+			 */
+			$this->session->set('two_factor_auth_error_message', $e->getMessage());
 		}
 
 		$this->session->set('two_factor_auth_error', true);