diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2018-05-22 08:52:16 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2018-06-20 08:30:26 +0200 |
| commit | 13d93f5b25aa3e663146349583a0a8e01b216f7a (patch) | |
| tree | 494950eefa4b27c980ebce22eeafa58eab08892d /lib/private/Authentication | |
| parent | cad8824a8e7da7fcf61960b6502b307672651c2b (diff) | |
| download | nextcloud-server-13d93f5b25aa3e663146349583a0a8e01b216f7a.tar.gz nextcloud-server-13d93f5b25aa3e663146349583a0a8e01b216f7a.zip | |
Make 2FA providers stateful
This adds persistence to the Nextcloud server 2FA logic so that the server
knows which 2FA providers are enabled for a specific user at any time, even
when the provider is not available.
The `IStatefulProvider` interface was added as tagging interface for providers
that are compatible with this new API.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Diffstat (limited to 'lib/private/Authentication')
5 files changed, 391 insertions, 72 deletions
diff --git a/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php new file mode 100644 index 00000000000..5b3f2849433 --- /dev/null +++ b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php @@ -0,0 +1,86 @@ +<?php + +declare(strict_types = 1); + +/** + * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Authentication\TwoFactorAuth\Db; + +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; + +/** + * Data access object to query and assign (provider_id, uid, enabled) tuples of + * 2FA providers + */ +class ProviderUserAssignmentDao { + + const TABLE_NAME = 'twofactor_providers'; + + /** @var IDBConnection */ + private $conn; + + public function __construct(IDBConnection $dbConn) { + $this->conn = $dbConn; + } + + /** + * Get all assigned provider IDs for the given user ID + * + * @return string[] where the array key is the provider ID (string) and the + * value is the enabled state (bool) + */ + public function getState(string $uid): array { + $qb = $this->conn->getQueryBuilder(); + + $query = $qb->select('provider_id', 'enabled') + ->from(self::TABLE_NAME) + ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))); + $result = $query->execute(); + $providers = []; + foreach ($result->fetchAll() as $row) { + $providers[$row['provider_id']] = 1 === (int) $row['enabled']; + } + $result->closeCursor(); + + return $providers; + } + + /** + * Persist a new/updated (provider_id, uid, enabled) tuple + */ + public function persist(string $providerId, string $uid, int $enabled) { + $qb = $this->conn->getQueryBuilder(); + + // TODO: concurrency? What if (providerId, uid) private key is inserted + // twice at the same time? + $query = $qb->insert(self::TABLE_NAME)->values([ + 'provider_id' => $qb->createNamedParameter($providerId), + 'uid' => $qb->createNamedParameter($uid), + 'enabled' => $qb->createNamedParameter($enabled, IQueryBuilder::PARAM_INT), + ]); + + $query->execute(); + } + +} diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 933b86ffda5..0837ec339a5 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -1,5 +1,6 @@ <?php -declare(strict_types=1); + +declare(strict_types = 1); /** * @copyright Copyright (c) 2016, ownCloud, Inc. * @@ -28,15 +29,12 @@ namespace OC\Authentication\TwoFactorAuth; use BadMethodCallException; use Exception; -use OC; -use OC\App\AppManager; -use OC_App; use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider as TokenProvider; use OCP\Activity\IManager; -use OCP\AppFramework\QueryException; use OCP\AppFramework\Utility\ITimeFactory; use OCP\Authentication\TwoFactorAuth\IProvider; +use OCP\Authentication\TwoFactorAuth\IRegistry; use OCP\IConfig; use OCP\ILogger; use OCP\ISession; @@ -48,12 +46,13 @@ class Manager { const SESSION_UID_KEY = 'two_factor_auth_uid'; const SESSION_UID_DONE = 'two_factor_auth_passed'; - const BACKUP_CODES_APP_ID = 'twofactor_backupcodes'; - const BACKUP_CODES_PROVIDER_ID = 'backup_codes'; const REMEMBER_LOGIN = 'two_factor_remember_login'; - /** @var AppManager */ - private $appManager; + /** @var ProviderLoader */ + private $providerLoader; + + /** @var IRegistry */ + private $providerRegistry; /** @var ISession */ private $session; @@ -76,25 +75,11 @@ class Manager { /** @var EventDispatcherInterface */ private $dispatcher; - /** - * @param AppManager $appManager - * @param ISession $session - * @param IConfig $config - * @param IManager $activityManager - * @param ILogger $logger - * @param TokenProvider $tokenProvider - * @param ITimeFactory $timeFactory - * @param EventDispatcherInterface $eventDispatcher - */ - public function __construct(AppManager $appManager, - ISession $session, - IConfig $config, - IManager $activityManager, - ILogger $logger, - TokenProvider $tokenProvider, - ITimeFactory $timeFactory, - EventDispatcherInterface $eventDispatcher) { - $this->appManager = $appManager; + public function __construct(ProviderLoader $providerLoader, + IRegistry $providerRegistry, ISession $session, IConfig $config, + IManager $activityManager, ILogger $logger, TokenProvider $tokenProvider, + ITimeFactory $timeFactory, EventDispatcherInterface $eventDispatcher) { + $this->providerLoader = $providerLoader; $this->session = $session; $this->config = $config; $this->activityManager = $activityManager; @@ -102,6 +87,7 @@ class Manager { $this->tokenProvider = $tokenProvider; $this->timeFactory = $timeFactory; $this->dispatcher = $eventDispatcher; + $this->providerRegistry = $providerRegistry; } /** @@ -112,7 +98,15 @@ class Manager { */ public function isTwoFactorAuthenticated(IUser $user): bool { $twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0; - return $twoFactorEnabled && \count($this->getProviders($user)) > 0; + + if (!$twoFactorEnabled) { + return false; + } + + $providerStates = $this->providerRegistry->getProviderStates($user); + $enabled = array_filter($providerStates); + + return $twoFactorEnabled && !empty($enabled); } /** @@ -141,71 +135,96 @@ class Manager { * @return IProvider|null */ public function getProvider(IUser $user, string $challengeProviderId) { - $providers = $this->getProviders($user, true); + $providers = $this->getProviderSet($user)->getProviders(); return $providers[$challengeProviderId] ?? null; } /** + * Check if the persistant mapping of enabled/disabled state of each available + * provider is missing an entry and add it to the registry in that case. + * + * @todo remove in Nextcloud 17 as by then all providers should have been updated + * + * @param string[] $providerStates + * @param IProvider[] $providers * @param IUser $user - * @return IProvider|null the backup provider, if enabled for the given user + * @return string[] the updated $providerStates variable */ - public function getBackupProvider(IUser $user) { - $providers = $this->getProviders($user, true); - if (!isset($providers[self::BACKUP_CODES_PROVIDER_ID])) { - return null; + private function fixMissingProviderStates(array $providerStates, + array $providers, IUser $user): array { + + foreach ($providers as $provider) { + if (isset($providerStates[$provider->getId()])) { + // All good + continue; + } + + $enabled = $provider->isTwoFactorAuthEnabledForUser($user); + if ($enabled) { + $this->providerRegistry->enableProviderFor($provider, $user); + } else { + $this->providerRegistry->disableProviderFor($provider, $user); + } + $providerStates[$provider->getId()] = $enabled; } - return $providers[self::BACKUP_CODES_PROVIDER_ID]; + + return $providerStates; } /** - * Get the list of 2FA providers for the given user - * - * @param IUser $user - * @param bool $includeBackupApp - * @return IProvider[] - * @throws Exception + * @param array $states + * @param IProvider $providers */ - public function getProviders(IUser $user, bool $includeBackupApp = false): array { - $allApps = $this->appManager->getEnabledAppsForUser($user); - $providers = []; + private function isProviderMissing(array $states, array $providers): bool { + $indexed = []; + foreach ($providers as $provider) { + $indexed[$provider->getId()] = $provider; + } - foreach ($allApps as $appId) { - if (!$includeBackupApp && $appId === self::BACKUP_CODES_APP_ID) { + $missing = []; + foreach ($states as $providerId => $enabled) { + if (!$enabled) { + // Don't care continue; } - $info = $this->appManager->getAppInfo($appId); - if (isset($info['two-factor-providers'])) { - /** @var string[] $providerClasses */ - $providerClasses = $info['two-factor-providers']; - foreach ($providerClasses as $class) { - try { - $this->loadTwoFactorApp($appId); - $provider = OC::$server->query($class); - $providers[$provider->getId()] = $provider; - } catch (QueryException $exc) { - // Provider class can not be resolved - throw new Exception("Could not load two-factor auth provider $class"); - } - } + if (!isset($indexed[$providerId])) { + $missing[] = $providerId; + $this->logger->alert("two-factor auth provider '$providerId' failed to load", + [ + 'app' => 'core', + ]); } } - return array_filter($providers, function ($provider) use ($user) { - /* @var $provider IProvider */ - return $provider->isTwoFactorAuthEnabledForUser($user); - }); + if (!empty($missing)) { + // There was at least one provider missing + $this->logger->alert(count($missing) . " two-factor auth providers failed to load", ['app' => 'core']); + + return true; + } + + // If we reach this, there was not a single provider missing + return false; } /** - * Load an app by ID if it has not been loaded yet + * Get the list of 2FA providers for the given user * - * @param string $appId + * @param IUser $user + * @throws Exception */ - protected function loadTwoFactorApp(string $appId) { - if (!OC_App::isAppLoaded($appId)) { - OC_App::loadApp($appId); - } + public function getProviderSet(IUser $user): ProviderSet { + $providerStates = $this->providerRegistry->getProviderStates($user); + $providers = $this->providerLoader->getProviders($user); + + $fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user); + $isProviderMissing = $this->isProviderMissing($fixedStates, $providers); + + $enabled = array_filter($providers, function (IProvider $provider) use ($fixedStates) { + return $fixedStates[$provider->getId()]; + }); + return new ProviderSet($enabled, $isProviderMissing); } /** @@ -272,7 +291,7 @@ class Manager { try { $this->activityManager->publish($activity); } catch (BadMethodCallException $e) { - $this->logger->warning('could not publish backup code creation activity', ['app' => 'core']); + $this->logger->warning('could not publish activity', ['app' => 'core']); $this->logger->logException($e, ['app' => 'core']); } } diff --git a/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php b/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php new file mode 100644 index 00000000000..bd20cd12949 --- /dev/null +++ b/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php @@ -0,0 +1,88 @@ +<?php + +/** + * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Authentication\TwoFactorAuth; + +use Exception; +use OC; +use OC_App; +use OCP\App\IAppManager; +use OCP\AppFramework\QueryException; +use OCP\Authentication\TwoFactorAuth\IProvider; +use OCP\IUser; + +class ProviderLoader { + + const BACKUP_CODES_APP_ID = 'twofactor_backupcodes'; + + /** @var IAppManager */ + private $appManager; + + public function __construct(IAppManager $appManager) { + $this->appManager = $appManager; + } + + /** + * Get the list of 2FA providers for the given user + * + * @return IProvider[] + * @throws Exception + */ + public function getProviders(IUser $user): array { + $allApps = $this->appManager->getEnabledAppsForUser($user); + $providers = []; + + foreach ($allApps as $appId) { + $info = $this->appManager->getAppInfo($appId); + if (isset($info['two-factor-providers'])) { + /** @var string[] $providerClasses */ + $providerClasses = $info['two-factor-providers']; + foreach ($providerClasses as $class) { + try { + $this->loadTwoFactorApp($appId); + $provider = OC::$server->query($class); + $providers[$provider->getId()] = $provider; + } catch (QueryException $exc) { + // Provider class can not be resolved + throw new Exception("Could not load two-factor auth provider $class"); + } + } + } + } + + return $providers; + } + + /** + * Load an app by ID if it has not been loaded yet + * + * @param string $appId + */ + protected function loadTwoFactorApp(string $appId) { + if (!OC_App::isAppLoaded($appId)) { + OC_App::loadApp($appId); + } + } + +} diff --git a/lib/private/Authentication/TwoFactorAuth/ProviderSet.php b/lib/private/Authentication/TwoFactorAuth/ProviderSet.php new file mode 100644 index 00000000000..60e967ba546 --- /dev/null +++ b/lib/private/Authentication/TwoFactorAuth/ProviderSet.php @@ -0,0 +1,71 @@ +<?php + +/** + * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Authentication\TwoFactorAuth; + +use OCP\Authentication\TwoFactorAuth\IProvider; + +/** + * Contains all two-factor provider information for the two-factor login challenge + */ +class ProviderSet { + + /** @var IProvider */ + private $providers; + + /** @var bool */ + private $providerMissing; + + /** + * @param IProvider[] $providers + * @param bool $providerMissing + */ + public function __construct(array $providers, bool $providerMissing) { + $this->providers = []; + foreach ($providers as $provider) { + $this->providers[$provider->getId()] = $provider; + } + $this->providerMissing = $providerMissing; + } + + /** + * @param string $providerId + * @return IProvider|null + */ + public function getProvider(string $providerId) { + return $this->providers[$providerId] ?? null; + } + + /** + * @return IProvider[] + */ + public function getProviders(): array { + return $this->providers; + } + + public function isProviderMissing(): bool { + return $this->providerMissing; + } + +} diff --git a/lib/private/Authentication/TwoFactorAuth/Registry.php b/lib/private/Authentication/TwoFactorAuth/Registry.php new file mode 100644 index 00000000000..0cfb052440e --- /dev/null +++ b/lib/private/Authentication/TwoFactorAuth/Registry.php @@ -0,0 +1,55 @@ +<?php + +declare(strict_types = 1); + +/** + * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Authentication\TwoFactorAuth; + +use OC\Authentication\TwoFactorAuth\Db\ProviderUserAssignmentDao; +use OCP\Authentication\TwoFactorAuth\IProvider; +use OCP\Authentication\TwoFactorAuth\IRegistry; +use OCP\IUser; + +class Registry implements IRegistry { + + /** @var ProviderUserAssignmentDao */ + private $assignmentDao; + + public function __construct(ProviderUserAssignmentDao $assignmentDao) { + $this->assignmentDao = $assignmentDao; + } + + public function getProviderStates(IUser $user): array { + return $this->assignmentDao->getState($user->getUID()); + } + + public function enableProviderFor(IProvider $provider, IUser $user) { + $this->assignmentDao->persist($provider->getId(), $user->getUID(), 1); + } + + public function disableProviderFor(IProvider $provider, IUser $user) { + $this->assignmentDao->persist($provider->getId(), $user->getUID(), 0); + } + +} |