summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorRobin Appelman <robin@icewind.nl>2017-02-17 15:40:20 +0100
committerLukas Reschke <lukas@statuscode.ch>2017-04-05 17:58:33 +0200
commitbaec42e80a74543543064f3af9946b9c4dafddeb (patch)
tree780c007ecb83b192c090d8a6018fe7a2cb86de43 /lib
parent6bdd3a167d9872c315236a09233f4a161ae48797 (diff)
downloadnextcloud-server-baec42e80a74543543064f3af9946b9c4dafddeb.tar.gz
nextcloud-server-baec42e80a74543543064f3af9946b9c4dafddeb.zip
Save the scope of an auth token in the session
Signed-off-by: Robin Appelman <robin@icewind.nl>
Diffstat (limited to 'lib')
-rw-r--r--lib/private/Lockdown/LockdownManager.php41
-rw-r--r--lib/private/Server.php6
-rw-r--r--lib/private/User/Session.php45
3 files changed, 68 insertions, 24 deletions
diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php
index 5ce52a03683..93752dc922f 100644
--- a/lib/private/Lockdown/LockdownManager.php
+++ b/lib/private/Lockdown/LockdownManager.php
@@ -20,27 +20,60 @@
namespace OC\Lockdown;
use OC\Authentication\Token\IToken;
+use OCP\ISession;
use OCP\Lockdown\ILockdownManager;
class LockdownManager implements ILockdownManager {
+ /** @var ISession */
+ private $sessionCallback;
+
private $enabled = false;
/** @var array|null */
private $scope;
+ /**
+ * LockdownManager constructor.
+ *
+ * @param callable $sessionCallback we need to inject the session lazily to avoid dependency loops
+ */
+ public function __construct(callable $sessionCallback) {
+ $this->sessionCallback = $sessionCallback;
+ }
+
+
public function enable() {
$this->enabled = true;
}
+ /**
+ * @return ISession
+ */
+ private function getSession() {
+ $callback = $this->sessionCallback;
+ return $callback();
+ }
+
+ private function getScopeAsArray() {
+ if (!$this->scope) {
+ $session = $this->getSession();
+ $sessionScope = $session->get('token_scope');
+ if ($sessionScope) {
+ $this->scope = $sessionScope;
+ }
+ }
+ return $this->scope;
+ }
+
public function setToken(IToken $token) {
$this->scope = $token->getScopeAsArray();
+ $session = $this->getSession();
+ $session->set('token_scope', $this->scope);
$this->enable();
}
public function canAccessFilesystem() {
- if (!$this->enabled) {
- return true;
- }
- return !$this->scope || $this->scope['filesystem'];
+ $scope = $this->getScopeAsArray();
+ return !$scope || $scope['filesystem'];
}
}
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 10f9a810de9..98910b097b7 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -307,7 +307,7 @@ class Server extends ServerContainer implements IServerContainer {
$defaultTokenProvider = null;
}
- $userSession = new \OC\User\Session($manager, $session, $timeFactory, $defaultTokenProvider, $c->getConfig(), $c->getSecureRandom());
+ $userSession = new \OC\User\Session($manager, $session, $timeFactory, $defaultTokenProvider, $c->getConfig(), $c->getSecureRandom(), $c->getLockdownManager());
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
@@ -930,7 +930,9 @@ class Server extends ServerContainer implements IServerContainer {
});
$this->registerService('LockdownManager', function (Server $c) {
- return new LockdownManager();
+ return new LockdownManager(function() use ($c) {
+ return $c->getSession();
+ });
});
$this->registerService(ICloudIdManager::class, function (Server $c) {
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 4980318b554..73a8196cecd 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -51,6 +51,7 @@ use OCP\ISession;
use OCP\IUser;
use OCP\IUserManager;
use OCP\IUserSession;
+use OCP\Lockdown\ILockdownManager;
use OCP\Security\ISecureRandom;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\Util;
@@ -84,7 +85,7 @@ class Session implements IUserSession, Emitter {
private $session;
/** @var ITimeFactory */
- private $timeFacory;
+ private $timeFactory;
/** @var IProvider */
private $tokenProvider;
@@ -98,26 +99,33 @@ class Session implements IUserSession, Emitter {
/** @var ISecureRandom */
private $random;
+ /** @var ILockdownManager */
+ private $lockdownManager;
+
/**
* @param IUserManager $manager
* @param ISession $session
- * @param ITimeFactory $timeFacory
+ * @param ITimeFactory $timeFactory
* @param IProvider $tokenProvider
* @param IConfig $config
* @param ISecureRandom $random
+ * @param ILockdownManager $lockdownManager
*/
public function __construct(IUserManager $manager,
ISession $session,
- ITimeFactory $timeFacory,
+ ITimeFactory $timeFactory,
$tokenProvider,
IConfig $config,
- ISecureRandom $random) {
+ ISecureRandom $random,
+ ILockdownManager $lockdownManager
+ ) {
$this->manager = $manager;
$this->session = $session;
- $this->timeFacory = $timeFacory;
+ $this->timeFactory = $timeFactory;
$this->tokenProvider = $tokenProvider;
$this->config = $config;
$this->random = $random;
+ $this->lockdownManager = $lockdownManager;
}
/**
@@ -374,7 +382,7 @@ class Session implements IUserSession, Emitter {
if (!is_null($request->getCookie('cookie_test'))) {
return true;
}
- setcookie('cookie_test', 'test', $this->timeFacory->getTime() + 3600);
+ setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
return false;
}
@@ -464,7 +472,7 @@ class Session implements IUserSession, Emitter {
);
// Set the last-password-confirm session to make the sudo mode work
- $this->session->set('last-password-confirm', $this->timeFacory->getTime());
+ $this->session->set('last-password-confirm', $this->timeFactory->getTime());
return true;
}
@@ -550,7 +558,7 @@ class Session implements IUserSession, Emitter {
$this->setUser($user);
$this->setLoginName($dbToken->getLoginName());
$this->setToken($dbToken->getId());
- \OC::$server->getLockdownManager()->setToken($dbToken);
+ $this->lockdownManager->setToken($dbToken);
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
if ($this->isLoggedIn()) {
@@ -626,7 +634,7 @@ class Session implements IUserSession, Emitter {
// Check whether login credentials are still valid and the user was not disabled
// This check is performed each 5 minutes
$lastCheck = $dbToken->getLastCheck() ? : 0;
- $now = $this->timeFacory->getTime();
+ $now = $this->timeFactory->getTime();
if ($lastCheck > ($now - 60 * 5)) {
// Checked performed recently, nothing to do now
return true;
@@ -747,7 +755,7 @@ class Session implements IUserSession, Emitter {
// replace successfully used token with a new one
$this->config->deleteUserValue($uid, 'login_token', $currentToken);
$newToken = $this->random->generate(32);
- $this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFacory->getTime());
+ $this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
try {
$sessionId = $this->session->getId();
@@ -766,6 +774,7 @@ class Session implements IUserSession, Emitter {
$this->setUser($user);
$this->setLoginName($token->getLoginName());
$this->setToken($token->getId());
+ $this->lockdownManager->setToken($token);
$user->updateLastLoginTimestamp();
$this->manager->emit('\OC\User', 'postRememberedLogin', [$user]);
return true;
@@ -776,7 +785,7 @@ class Session implements IUserSession, Emitter {
*/
public function createRememberMeToken(IUser $user) {
$token = $this->random->generate(32);
- $this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFacory->getTime());
+ $this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
$this->setMagicInCookie($user->getUID(), $token);
}
@@ -814,7 +823,7 @@ class Session implements IUserSession, Emitter {
$webRoot = '/';
}
- $expires = $this->timeFacory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+ $expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
try {
@@ -834,14 +843,14 @@ class Session implements IUserSession, Emitter {
unset($_COOKIE['nc_username']); //TODO: DI
unset($_COOKIE['nc_token']);
unset($_COOKIE['nc_session_id']);
- setcookie('nc_username', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
- setcookie('nc_token', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
- setcookie('nc_session_id', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+ setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+ setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+ setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
// old cookies might be stored under /webroot/ instead of /webroot
// and Firefox doesn't like it!
- setcookie('nc_username', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
- setcookie('nc_token', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
- setcookie('nc_session_id', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+ setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+ setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+ setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
}
/**