diff options
-rw-r--r-- | core/Command/TwoFactorAuth/Disable.php | 65 | ||||
-rw-r--r-- | core/Command/TwoFactorAuth/Enable.php | 65 | ||||
-rw-r--r-- | core/Middleware/TwoFactorMiddleware.php | 4 | ||||
-rw-r--r-- | core/register_command.php | 7 | ||||
-rw-r--r-- | lib/private/Authentication/TwoFactorAuth/Manager.php | 29 | ||||
-rw-r--r-- | lib/private/Server.php | 2 |
6 files changed, 169 insertions, 3 deletions
diff --git a/core/Command/TwoFactorAuth/Disable.php b/core/Command/TwoFactorAuth/Disable.php new file mode 100644 index 00000000000..7b237186ef2 --- /dev/null +++ b/core/Command/TwoFactorAuth/Disable.php @@ -0,0 +1,65 @@ +<?php + +/** + * @author Christoph Wurst <christoph@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Core\Command\TwoFactorAuth; + +use OC\Authentication\TwoFactorAuth\Manager; +use OC\User\Manager as UserManager; +use OC\Core\Command\Base; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class Disable extends Base { + + /** @var Manager */ + private $manager; + + /** @var UserManager */ + private $userManager; + + public function __construct(Manager $manager, UserManager $userManager) { + parent::__construct('twofactorauth:disable'); + $this->manager = $manager; + $this->userManager = $userManager; + } + + protected function configure() { + parent::configure(); + + $this->setName('twofactorauth:disable'); + $this->setDescription('Disable two-factor authentication for a user'); + $this->addArgument('uid', InputArgument::REQUIRED); + } + + protected function execute(InputInterface $input, OutputInterface $output) { + $uid = $input->getArgument('uid'); + $user = $this->userManager->get($uid); + if (is_null($user)) { + $output->writeln("<error>Invalid UID</error>"); + return; + } + $this->manager->disableTwoFactorAuthentication($user); + $output->writeln("Two-factor authentication disabled for user $uid"); + } + +} diff --git a/core/Command/TwoFactorAuth/Enable.php b/core/Command/TwoFactorAuth/Enable.php new file mode 100644 index 00000000000..0c3e4f5fb3b --- /dev/null +++ b/core/Command/TwoFactorAuth/Enable.php @@ -0,0 +1,65 @@ +<?php + +/** + * @author Christoph Wurst <christoph@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Core\Command\TwoFactorAuth; + +use OC\Authentication\TwoFactorAuth\Manager; +use OC\User\Manager as UserManager; +use OC\Core\Command\Base; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class Enable extends Base { + + /** @var Manager */ + private $manager; + + /** @var UserManager */ + private $userManager; + + public function __construct(Manager $manager, UserManager $userManager) { + parent::__construct('twofactorauth:enable'); + $this->manager = $manager; + $this->userManager = $userManager; + } + + protected function configure() { + parent::configure(); + + $this->setName('twofactorauth:enable'); + $this->setDescription('Enable two-factor authentication for a user'); + $this->addArgument('uid', InputArgument::REQUIRED); + } + + protected function execute(InputInterface $input, OutputInterface $output) { + $uid = $input->getArgument('uid'); + $user = $this->userManager->get($uid); + if (is_null($user)) { + $output->writeln("<error>Invalid UID</error>"); + return; + } + $this->manager->enableTwoFactorAuthentication($user); + $output->writeln("Two-factor authentication enabled for user $uid"); + } + +} diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php index ea25aa36ecd..bcb06d20081 100644 --- a/core/Middleware/TwoFactorMiddleware.php +++ b/core/Middleware/TwoFactorMiddleware.php @@ -82,6 +82,10 @@ class TwoFactorMiddleware extends Middleware { if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { $this->checkTwoFactor($controller, $methodName); + } else if ($controller instanceof TwoFactorChallengeController) { + // Allow access to the two-factor controllers only if two-factor authentication + // is in progress. + throw new UserAlreadyLoggedInException(); } } // TODO: dont check/enforce 2FA if a auth token is used diff --git a/core/register_command.php b/core/register_command.php index 01ec2e7f28e..33e2ba46720 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -57,6 +57,13 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\App\Enable(\OC::$server->getAppManager())); $application->add(new OC\Core\Command\App\GetPath()); $application->add(new OC\Core\Command\App\ListApps(\OC::$server->getAppManager())); + + $application->add(new OC\Core\Command\TwoFactorAuth\Enable( + \OC::$server->getTwoFactorAuthManager(), \OC::$server->getUserManager() + )); + $application->add(new OC\Core\Command\TwoFactorAuth\Disable( + \OC::$server->getTwoFactorAuthManager(), \OC::$server->getUserManager() + )); $application->add(new OC\Core\Command\Background\Cron(\OC::$server->getConfig())); $application->add(new OC\Core\Command\Background\WebCron(\OC::$server->getConfig())); diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 2fdadee6d3e..57d682ec620 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -26,6 +26,7 @@ use OC; use OC\App\AppManager; use OCP\AppFramework\QueryException; use OCP\Authentication\TwoFactorAuth\IProvider; +use OCP\IConfig; use OCP\ISession; use OCP\IUser; @@ -39,13 +40,18 @@ class Manager { /** @var ISession */ private $session; + /** @var IConfig */ + private $config; + /** * @param AppManager $appManager * @param ISession $session + * @param IConfig $config */ - public function __construct(AppManager $appManager, ISession $session) { + public function __construct(AppManager $appManager, ISession $session, IConfig $config) { $this->appManager = $appManager; $this->session = $session; + $this->config = $config; } /** @@ -55,7 +61,26 @@ class Manager { * @return boolean */ public function isTwoFactorAuthenticated(IUser $user) { - return count($this->getProviders($user)) > 0; + $twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0; + return $twoFactorEnabled && count($this->getProviders($user)) > 0; + } + + /** + * Disable 2FA checks for the given user + * + * @param IUser $user + */ + public function disableTwoFactorAuthentication(IUser $user) { + $this->config->setUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 1); + } + + /** + * Enable all 2FA checks for the given user + * + * @param IUser $user + */ + public function enableTwoFactorAuthentication(IUser $user) { + $this->config->deleteUserValue($user->getUID(), 'core', 'two_factor_auth_disabled'); } /** diff --git a/lib/private/Server.php b/lib/private/Server.php index 05945cc5c1f..c878afa0a0e 100644 --- a/lib/private/Server.php +++ b/lib/private/Server.php @@ -277,7 +277,7 @@ class Server extends ServerContainer implements IServerContainer { }); $this->registerService('\OC\Authentication\TwoFactorAuth\Manager', function (Server $c) { - return new \OC\Authentication\TwoFactorAuth\Manager($c->getAppManager(), $c->getSession()); + return new \OC\Authentication\TwoFactorAuth\Manager($c->getAppManager(), $c->getSession(), $c->getConfig()); }); $this->registerService('NavigationManager', function ($c) { |