Create session tokens for apache auth users

6 files changed, 59 insertions, 9 deletions

diff --git a/lib/private/Authentication/Exceptions/PasswordlessTokenException.php b/lib/private/Authentication/Exceptions/PasswordlessTokenException.php
new file mode 100644
index 00000000000..dbe0ee8fbca
--- /dev/null
+++ b/lib/private/Authentication/Exceptions/PasswordlessTokenException.php
@@ -0,0 +1,29 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Authentication\Exceptions;
+
+use Exception;
+
+class PasswordlessTokenException extends Exception {
+
+}
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php
index 4be43fada0d..299291e34af 100644
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@@ -27,7 +27,6 @@ use OCP\AppFramework\Db\Entity;
  * @method void setId(int $id)
  * @method void setUid(string $uid);
  * @method void setLoginName(string $loginName)
- * @method string getLoginName()
  * @method void setPassword(string $password)
  * @method void setName(string $name)
  * @method string getName()
diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php
index dd6e264ed3d..84effc5f875 100644
--- a/lib/private/Authentication/Token/DefaultTokenProvider.php
+++ b/lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -23,6 +23,7 @@ namespace OC\Authentication\Token;
 
 use Exception;
 use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
@@ -68,7 +69,7 @@ class DefaultTokenProvider implements IProvider {
 	 * @param string $token
 	 * @param string $uid
 	 * @param string $loginName
-	 * @param string $password
+	 * @param string|null $password
 	 * @param string $name
 	 * @param int $type token type
 	 * @return IToken
@@ -77,7 +78,9 @@ class DefaultTokenProvider implements IProvider {
 		$dbToken = new DefaultToken();
 		$dbToken->setUid($uid);
 		$dbToken->setLoginName($loginName);
-		$dbToken->setPassword($this->encryptPassword($password, $token));
+		if (!is_null($password)) {
+			$dbToken->setPassword($this->encryptPassword($password, $token));
+		}
 		$dbToken->setName($name);
 		$dbToken->setToken($this->hashToken($token));
 		$dbToken->setType($type);
@@ -136,10 +139,15 @@ class DefaultTokenProvider implements IProvider {
 	 * @param IToken $savedToken
 	 * @param string $tokenId session token
 	 * @throws InvalidTokenException
+	 * @throws PasswordlessTokenException
 	 * @return string
 	 */
 	public function getPassword(IToken $savedToken, $tokenId) {
-		return $this->decryptPassword($savedToken->getPassword(), $tokenId);
+		$password = $savedToken->getPassword();
+		if (is_null($password)) {
+			throw new PasswordlessTokenException();
+		}
+		return $this->decryptPassword($password, $tokenId);
 	}
 
 	/**
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
index bdfde62d320..fece7dcb567 100644
--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -22,6 +22,7 @@
 namespace OC\Authentication\Token;
 
 use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OCP\IUser;
 
 interface IProvider {
@@ -32,7 +33,7 @@ interface IProvider {
 	 * @param string $token
 	 * @param string $uid
 	 * @param string $loginName
-	 * @param string $password
+	 * @param string|null $password
 	 * @param string $name
 	 * @param int $type token type
 	 * @return IToken
@@ -94,6 +95,7 @@ interface IProvider {
 	 * @param IToken $token
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
+	 * @throws PasswordlessTokenException
 	 * @return string
 	 */
 	public function getPassword(IToken $token, $tokenId);
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 20f1812077e..362468d4109 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -32,6 +32,7 @@ namespace OC\User;
 
 use OC;
 use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
 use OC\Hooks\Emitter;
@@ -46,6 +47,7 @@ use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
 use OCP\Session\Exceptions\SessionNotAvailableException;
+use OCP\Util;
 
 /**
  * Class Session
@@ -220,6 +222,10 @@ class Session implements IUserSession, Emitter {
 				// An invalid token password was used -> log user out
 				$this->logout();
 				return;
+			} catch (PasswordlessTokenException $ex) {
+				// Token has no password, nothing to check
+				$this->session->set('last_login_check', $now);
+				return;
 			}
 
 			if ($this->manager->checkPassword($token->getLoginName(), $pwd) === false
@@ -297,8 +303,12 @@ class Session implements IUserSession, Emitter {
 			// When logging in with token, the password must be decrypted first before passing to login hook
 			try {
 				$token = $this->tokenProvider->getToken($password);
-				$password = $this->tokenProvider->getPassword($token, $password);
-				$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
+				try {
+					$password = $this->tokenProvider->getPassword($token, $password);
+					$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
+				} catch (PasswordlessTokenException $ex) {
+					$this->manager->emit('\OC\User', 'preLogin', array($uid, ''));
+				}
 			} catch (InvalidTokenException $ex) {
 				// Invalid token, nothing to do
 			}
@@ -359,7 +369,7 @@ class Session implements IUserSession, Emitter {
 	}
 
 	protected function isTwoFactorEnforced($username) {
-		\OCP\Util::emitHook(
+		Util::emitHook(
 			'\OCA\Files_Sharing\API\Server2Server',
 			'preLoginNameUsedAsUserName',
 			array('uid' => &$username)
@@ -452,7 +462,7 @@ class Session implements IUserSession, Emitter {
 	 * @param string $password
 	 * @return boolean
 	 */
-	public function createSessionToken(IRequest $request, $uid, $loginName, $password) {
+	public function createSessionToken(IRequest $request, $uid, $loginName, $password = null) {
 		if (is_null($this->manager->get($uid))) {
 			// User does not exist
 			return false;
diff --git a/lib/private/legacy/user.php b/lib/private/legacy/user.php
index 6e113bd4742..d4d84ed3fa2 100644
--- a/lib/private/legacy/user.php
+++ b/lib/private/legacy/user.php
@@ -180,6 +180,8 @@ class OC_User {
 				self::setUserId($uid);
 				self::setDisplayName($uid);
 				self::getUserSession()->setLoginName($uid);
+				$request = OC::$server->getRequest();
+				self::getUserSession()->createSessionToken($request, $uid, $uid);
 				// setup the filesystem
 				OC_Util::setupFS($uid);
 				// first call the post_login hooks, the login-process needs to be