feat: Use inline password confirmation in external storage settings

Signed-off-by: Louis Chemineau <louis@chmn.me>
author: Louis Chemineau <louis@chmn.me> 2024-11-27 17:01:25 +0100
committer: Louis Chemineau <louis@chmn.me> 2024-11-28 11:01:54 +0100
commit: a2f2f7ce93e66f97827229de1d2b4cb233976096 (patch)
tree: 7febee48e19b5997ccb5b29a5a0c58c46ed4cbcf /lib
parent: ec26cd7b6c7a031921c3f3ea97ecb2bd1981dc00 (diff)
download: nextcloud-server-a2f2f7ce93e66f97827229de1d2b4cb233976096.tar.gz
nextcloud-server-a2f2f7ce93e66f97827229de1d2b4cb233976096.zip
3 files changed, 77 insertions, 66 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
index a6a3aec9489..2083a0e7195 100644
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -23,6 +23,7 @@ use OC\Diagnostics\EventLogger;
 use OC\Log\PsrLoggerAdapter;
 use OC\ServerContainer;
 use OC\Settings\AuthorizedGroupMapper;
+use OC\User\Manager as UserManager;
 use OCA\WorkflowEngine\Manager;
 use OCP\AppFramework\Http\IOutput;
 use OCP\AppFramework\IAppContainer;
@@ -251,6 +252,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 					$c->get(ITimeFactory::class),
 					$c->get(\OC\Authentication\Token\IProvider::class),
 					$c->get(LoggerInterface::class),
+					$c->get(IRequest::class),
+					$c->get(UserManager::class),
 				)
 			);
 			$dispatcher->registerMiddleware(
diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
index f5416ff652a..2e3ed02ed34 100644
--- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -8,6 +8,7 @@ namespace OC\AppFramework\Middleware\Security;
 use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Authentication\Token\IProvider;
+use OC\User\Manager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Middleware;
@@ -16,6 +17,7 @@ use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\WipeTokenException;
 use OCP\Authentication\Token\IToken;
+use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Session\Exceptions\SessionNotAvailableException;
@@ -24,76 +26,67 @@ use Psr\Log\LoggerInterface;
 use ReflectionMethod;
 
 class PasswordConfirmationMiddleware extends Middleware {
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var ISession */
-	private $session;
-	/** @var IUserSession */
-	private $userSession;
-	/** @var ITimeFactory */
-	private $timeFactory;
-	/** @var array */
-	private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
-	private IProvider $tokenProvider;
+	private array $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
 
-	/**
-	 * PasswordConfirmationMiddleware constructor.
-	 *
-	 * @param ControllerMethodReflector $reflector
-	 * @param ISession $session
-	 * @param IUserSession $userSession
-	 * @param ITimeFactory $timeFactory
-	 */
 	public function __construct(
-		ControllerMethodReflector $reflector,
-		ISession $session,
-		IUserSession $userSession,
-		ITimeFactory $timeFactory,
-		IProvider $tokenProvider,
+		private ControllerMethodReflector $reflector,
+		private ISession $session,
+		private IUserSession $userSession,
+		private ITimeFactory $timeFactory,
+		private IProvider $tokenProvider,
 		private readonly LoggerInterface $logger,
+		private readonly IRequest $request,
+		private readonly Manager $userManager,
 	) {
-		$this->reflector = $reflector;
-		$this->session = $session;
-		$this->userSession = $userSession;
-		$this->timeFactory = $timeFactory;
-		$this->tokenProvider = $tokenProvider;
 	}
 
 	/**
-	 * @param Controller $controller
-	 * @param string $methodName
 	 * @throws NotConfirmedException
 	 */
-	public function beforeController($controller, $methodName) {
+	public function beforeController(Controller $controller, string $methodName) {
 		$reflectionMethod = new ReflectionMethod($controller, $methodName);
 
-		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) {
-			$user = $this->userSession->getUser();
-			$backendClassName = '';
-			if ($user !== null) {
-				$backend = $user->getBackend();
-				if ($backend instanceof IPasswordConfirmationBackend) {
-					if (!$backend->canConfirmPassword($user->getUID())) {
-						return;
-					}
-				}
+		if (!$this->needsPasswordConfirmation($reflectionMethod)) {
+			return;
+		}
 
-				$backendClassName = $user->getBackendClassName();
+		$user = $this->userSession->getUser();
+		$backendClassName = '';
+		if ($user !== null) {
+			$backend = $user->getBackend();
+			if ($backend instanceof IPasswordConfirmationBackend) {
+				if (!$backend->canConfirmPassword($user->getUID())) {
+					return;
+				}
 			}
 
-			try {
-				$sessionId = $this->session->getId();
-				$token = $this->tokenProvider->getToken($sessionId);
-			} catch (SessionNotAvailableException|InvalidTokenException|WipeTokenException|ExpiredTokenException) {
-				// States we do not deal with here.
-				return;
-			}
-			$scope = $token->getScopeAsArray();
-			if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
-				// Users logging in from SSO backends cannot confirm their password by design
-				return;
+			$backendClassName = $user->getBackendClassName();
+		}
+
+		try {
+			$sessionId = $this->session->getId();
+			$token = $this->tokenProvider->getToken($sessionId);
+		} catch (SessionNotAvailableException|InvalidTokenException|WipeTokenException|ExpiredTokenException) {
+			// States we do not deal with here.
+			return;
+		}
+
+		$scope = $token->getScopeAsArray();
+		if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
+			// Users logging in from SSO backends cannot confirm their password by design
+			return;
+		}
+
+		if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
+			$authHeader = $this->request->getHeader('Authorization');
+			[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
+			$loginResult = $this->userManager->checkPassword($user->getUid(), $password);
+			if ($loginResult === false) {
+				throw new NotConfirmedException();
 			}
 
+			$this->session->set('last-password-confirm', $this->timeFactory->getTime());
+		} else {
 			$lastConfirm = (int)$this->session->get('last-password-confirm');
 			// TODO: confirm excludedUserBackEnds can go away and remove it
 			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
@@ -102,24 +95,22 @@ class PasswordConfirmationMiddleware extends Middleware {
 		}
 	}
 
-	/**
-	 * @template T
-	 *
-	 * @param ReflectionMethod $reflectionMethod
-	 * @param string $annotationName
-	 * @param class-string<T> $attributeClass
-	 * @return boolean
-	 */
-	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
-		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
+	private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod): bool {
+		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
+		if (!empty($attributes)) {
 			return true;
 		}
 
-		if ($this->reflector->hasAnnotation($annotationName)) {
-			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
+		if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
+			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . 'PasswordConfirmationRequired' . ' annotation and should use the #[PasswordConfirmationRequired] attribute instead');
 			return true;
 		}
 
 		return false;
 	}
+
+	private function isPasswordConfirmationStrict(ReflectionMethod $reflectionMethod): bool {
+		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
+		return !empty($attributes) && ($attributes[0]->newInstance()->getStrict());
+	}
 }
diff --git a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php
index 0f0f4b38040..c41e5aa2445 100644
--- a/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php
+++ b/lib/public/AppFramework/Http/Attribute/PasswordConfirmationRequired.php
@@ -18,4 +18,21 @@ use Attribute;
  */
 #[Attribute]
 class PasswordConfirmationRequired {
+	/**
+	 * @param bool $strict - Whether password confirmation needs to happen in the request.
+	 *
+	 * @since 31.0.0
+	 */
+	public function __construct(
+		protected bool $strict = false,
+	) {
+	}
+
+	/**
+	 * @since 31.0.0
+	 */
+	public function getStrict(): bool {
+		return $this->strict;
+	}
+
 }
author	Louis Chemineau <louis@chmn.me>	2024-11-27 17:01:25 +0100
committer	Louis Chemineau <louis@chmn.me>	2024-11-28 11:01:54 +0100
commit	a2f2f7ce93e66f97827229de1d2b4cb233976096 (patch)
tree	7febee48e19b5997ccb5b29a5a0c58c46ed4cbcf /lib
parent	ec26cd7b6c7a031921c3f3ea97ecb2bd1981dc00 (diff)
download	nextcloud-server-a2f2f7ce93e66f97827229de1d2b4cb233976096.tar.gz nextcloud-server-a2f2f7ce93e66f97827229de1d2b4cb233976096.zip