Merge pull request #3526 from nextcloud/token-save-scope

Save the scope of an auth token in the session

3 files changed, 68 insertions, 24 deletions

diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php
index 5ce52a03683..93752dc922f 100644
--- a/lib/private/Lockdown/LockdownManager.php
+++ b/lib/private/Lockdown/LockdownManager.php
@@ -20,27 +20,60 @@
 namespace OC\Lockdown;
 
 use OC\Authentication\Token\IToken;
+use OCP\ISession;
 use OCP\Lockdown\ILockdownManager;
 
 class LockdownManager implements ILockdownManager {
+	/** @var ISession */
+	private $sessionCallback;
+
 	private $enabled = false;
 
 	/** @var array|null */
 	private $scope;
 
+	/**
+	 * LockdownManager constructor.
+	 *
+	 * @param callable $sessionCallback we need to inject the session lazily to avoid dependency loops
+	 */
+	public function __construct(callable $sessionCallback) {
+		$this->sessionCallback = $sessionCallback;
+	}
+
+
 	public function enable() {
 		$this->enabled = true;
 	}
 
+	/**
+	 * @return ISession
+	 */
+	private function getSession() {
+		$callback = $this->sessionCallback;
+		return $callback();
+	}
+
+	private function getScopeAsArray() {
+		if (!$this->scope) {
+			$session = $this->getSession();
+			$sessionScope = $session->get('token_scope');
+			if ($sessionScope) {
+				$this->scope = $sessionScope;
+			}
+		}
+		return $this->scope;
+	}
+
 	public function setToken(IToken $token) {
 		$this->scope = $token->getScopeAsArray();
+		$session = $this->getSession();
+		$session->set('token_scope', $this->scope);
 		$this->enable();
 	}
 
 	public function canAccessFilesystem() {
-		if (!$this->enabled) {
-			return true;
-		}
-		return !$this->scope || $this->scope['filesystem'];
+		$scope = $this->getScopeAsArray();
+		return !$scope || $scope['filesystem'];
 	}
 }
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 10f9a810de9..98910b097b7 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -307,7 +307,7 @@ class Server extends ServerContainer implements IServerContainer {
 				$defaultTokenProvider = null;
 			}
 
-			$userSession = new \OC\User\Session($manager, $session, $timeFactory, $defaultTokenProvider, $c->getConfig(), $c->getSecureRandom());
+			$userSession = new \OC\User\Session($manager, $session, $timeFactory, $defaultTokenProvider, $c->getConfig(), $c->getSecureRandom(), $c->getLockdownManager());
 			$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
 				\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
 			});
@@ -930,7 +930,9 @@ class Server extends ServerContainer implements IServerContainer {
 		});
 
 		$this->registerService('LockdownManager', function (Server $c) {
-			return new LockdownManager();
+			return new LockdownManager(function() use ($c) {
+				return $c->getSession();
+			});
 		});
 
 		$this->registerService(ICloudIdManager::class, function (Server $c) {
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 4980318b554..73a8196cecd 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -51,6 +51,7 @@ use OCP\ISession;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
+use OCP\Lockdown\ILockdownManager;
 use OCP\Security\ISecureRandom;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 use OCP\Util;
@@ -84,7 +85,7 @@ class Session implements IUserSession, Emitter {
 	private $session;
 
 	/** @var ITimeFactory */
-	private $timeFacory;
+	private $timeFactory;
 
 	/** @var IProvider */
 	private $tokenProvider;
@@ -98,26 +99,33 @@ class Session implements IUserSession, Emitter {
 	/** @var ISecureRandom */
 	private $random;
 
+	/** @var ILockdownManager  */
+	private $lockdownManager;
+
 	/**
 	 * @param IUserManager $manager
 	 * @param ISession $session
-	 * @param ITimeFactory $timeFacory
+	 * @param ITimeFactory $timeFactory
 	 * @param IProvider $tokenProvider
 	 * @param IConfig $config
 	 * @param ISecureRandom $random
+	 * @param ILockdownManager $lockdownManager
 	 */
 	public function __construct(IUserManager $manager,
 								ISession $session,
-								ITimeFactory $timeFacory,
+								ITimeFactory $timeFactory,
 								$tokenProvider,
 								IConfig $config,
-								ISecureRandom $random) {
+								ISecureRandom $random,
+								ILockdownManager $lockdownManager
+	) {
 		$this->manager = $manager;
 		$this->session = $session;
-		$this->timeFacory = $timeFacory;
+		$this->timeFactory = $timeFactory;
 		$this->tokenProvider = $tokenProvider;
 		$this->config = $config;
 		$this->random = $random;
+		$this->lockdownManager = $lockdownManager;
 	}
 
 	/**
@@ -374,7 +382,7 @@ class Session implements IUserSession, Emitter {
 		if (!is_null($request->getCookie('cookie_test'))) {
 			return true;
 		}
-		setcookie('cookie_test', 'test', $this->timeFacory->getTime() + 3600);
+		setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
 		return false;
 	}
 
@@ -464,7 +472,7 @@ class Session implements IUserSession, Emitter {
 					);
 
 					// Set the last-password-confirm session to make the sudo mode work
-					 $this->session->set('last-password-confirm', $this->timeFacory->getTime());
+					 $this->session->set('last-password-confirm', $this->timeFactory->getTime());
 
 					return true;
 				}
@@ -550,7 +558,7 @@ class Session implements IUserSession, Emitter {
 		$this->setUser($user);
 		$this->setLoginName($dbToken->getLoginName());
 		$this->setToken($dbToken->getId());
-		\OC::$server->getLockdownManager()->setToken($dbToken);
+		$this->lockdownManager->setToken($dbToken);
 		$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
 
 		if ($this->isLoggedIn()) {
@@ -626,7 +634,7 @@ class Session implements IUserSession, Emitter {
 		// Check whether login credentials are still valid and the user was not disabled
 		// This check is performed each 5 minutes
 		$lastCheck = $dbToken->getLastCheck() ? : 0;
-		$now = $this->timeFacory->getTime();
+		$now = $this->timeFactory->getTime();
 		if ($lastCheck > ($now - 60 * 5)) {
 			// Checked performed recently, nothing to do now
 			return true;
@@ -747,7 +755,7 @@ class Session implements IUserSession, Emitter {
 		// replace successfully used token with a new one
 		$this->config->deleteUserValue($uid, 'login_token', $currentToken);
 		$newToken = $this->random->generate(32);
-		$this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFacory->getTime());
+		$this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
 
 		try {
 			$sessionId = $this->session->getId();
@@ -766,6 +774,7 @@ class Session implements IUserSession, Emitter {
 		$this->setUser($user);
 		$this->setLoginName($token->getLoginName());
 		$this->setToken($token->getId());
+		$this->lockdownManager->setToken($token);
 		$user->updateLastLoginTimestamp();
 		$this->manager->emit('\OC\User', 'postRememberedLogin', [$user]);
 		return true;
@@ -776,7 +785,7 @@ class Session implements IUserSession, Emitter {
 	 */
 	public function createRememberMeToken(IUser $user) {
 		$token = $this->random->generate(32);
-		$this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFacory->getTime());
+		$this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
 		$this->setMagicInCookie($user->getUID(), $token);
 	}
 
@@ -814,7 +823,7 @@ class Session implements IUserSession, Emitter {
 			$webRoot = '/';
 		}
 
-		$expires = $this->timeFacory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+		$expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
 		setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
 		setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
 		try {
@@ -834,14 +843,14 @@ class Session implements IUserSession, Emitter {
 		unset($_COOKIE['nc_username']); //TODO: DI
 		unset($_COOKIE['nc_token']);
 		unset($_COOKIE['nc_session_id']);
-		setcookie('nc_username', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
 		// old cookies might be stored under /webroot/ instead of /webroot
 		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFacory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
 	}
 
 	/**