From df4fa2695e2e4b50e86f5eec8dc8f56810f1be2e Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 11 Oct 2018 21:46:04 +0200
Subject: New user backend interface to check if a user can confirm passwords

On some backends (saml for example) users can't revalidate their
passwords as Nextcloud has no way to do verify it.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 .../User/Backend/IPasswordConfirmationBackend.php  | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 lib/public/User/Backend/IPasswordConfirmationBackend.php

diff --git a/lib/public/User/Backend/IPasswordConfirmationBackend.php b/lib/public/User/Backend/IPasswordConfirmationBackend.php
new file mode 100644
index 00000000000..021ca8ca25b
--- /dev/null
+++ b/lib/public/User/Backend/IPasswordConfirmationBackend.php
@@ -0,0 +1,36 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\User\Backend;
+
+/**
+ * @since 15.0.0
+ */
+interface IPasswordConfirmationBackend {
+
+	/**
+	 * @since 15.0.0
+	 */
+	public function canConfirmPassword(string $uid): bool;
+}
-- 
cgit v1.2.3


From 1fd640b40b9129b6b285bcab4ba085129a50836e Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 11 Oct 2018 21:55:42 +0200
Subject: Expose the backend of IUser

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/User/User.php | 4 ++++
 lib/public/IUser.php      | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/lib/private/User/User.php b/lib/private/User/User.php
index e171a65f8ce..06dd47b0887 100644
--- a/lib/private/User/User.php
+++ b/lib/private/User/User.php
@@ -302,6 +302,10 @@ class User implements IUser {
 		return get_class($this->backend);
 	}
 
+	public function getBackend() {
+		return $this->backend;
+	}
+
 	/**
 	 * check if the backend allows the user to change his avatar on Personal page
 	 *
diff --git a/lib/public/IUser.php b/lib/public/IUser.php
index 3d8515a5e03..a3d7c6b71a6 100644
--- a/lib/public/IUser.php
+++ b/lib/public/IUser.php
@@ -108,6 +108,13 @@ interface IUser {
 	 */
 	public function getBackendClassName();
 
+	/**
+	 * Get the backend for the current user object
+	 *
+	 * @since 15.0.0
+	 */
+	public function getBackend();
+
 	/**
 	 * check if the backend allows the user to change his avatar on Personal page
 	 *
-- 
cgit v1.2.3


From 603b672a113a33aef2e230f2720734078d702ff6 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 11 Oct 2018 21:56:24 +0200
Subject: Update password confirmation middleware

If the userbackend doesn't allow validating the password for a given uid
then there is no need to perform this check.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 .../Middleware/Security/PasswordConfirmationMiddleware.php        | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
index 7c1c4595e9a..d752a68cf32 100644
--- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -29,6 +29,7 @@ use OCP\AppFramework\Middleware;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\ISession;
 use OCP\IUserSession;
+use OCP\User\Backend\IPasswordConfirmationBackend;
 
 class PasswordConfirmationMiddleware extends Middleware {
 	/** @var ControllerMethodReflector */
@@ -70,6 +71,13 @@ class PasswordConfirmationMiddleware extends Middleware {
 			$user = $this->userSession->getUser();
 			$backendClassName = '';
 			if ($user !== null) {
+				$backend = $user->getBackend();
+				if ($backend instanceof IPasswordConfirmationBackend) {
+					if (!$backend->canConfirmPassword($user->getUID())) {
+						return;
+					}
+				}
+
 				$backendClassName = $user->getBackendClassName();
 			}
 
-- 
cgit v1.2.3


From 60bcae55a9ea9e6b474b790ff291c04fc54c810b Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Fri, 2 Nov 2018 12:32:45 +0100
Subject: Expose the info to the JS

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Template/JSConfigHelper.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php
index ad9ff0b6757..26da8fcc3c9 100644
--- a/lib/private/Template/JSConfigHelper.php
+++ b/lib/private/Template/JSConfigHelper.php
@@ -37,6 +37,7 @@ use OCP\IL10N;
 use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\IUser;
+use OCP\User\Backend\IPasswordConfirmationBackend;
 
 class JSConfigHelper {
 
@@ -109,12 +110,18 @@ class JSConfigHelper {
 
 	public function getConfig() {
 
+		$userBackendAllowsPasswordConfirmation = true;
 		if ($this->currentUser !== null) {
 			$uid = $this->currentUser->getUID();
-			$userBackend = $this->currentUser->getBackendClassName();
+
+			$backend = $this->currentUser->getBackend();
+			if ($backend instanceof IPasswordConfirmationBackend) {
+				$userBackendAllowsPasswordConfirmation = $backend->canConfirmPassword($uid);
+			} else if (isset($this->excludedUserBackEnds[$this->currentUser->getBackendClassName()])) {
+				$userBackendAllowsPasswordConfirmation = false;
+			}
 		} else {
 			$uid = null;
-			$userBackend = '';
 		}
 
 		// Get the config
@@ -161,7 +168,7 @@ class JSConfigHelper {
 		$array = [
 			"oc_debug" => $this->config->getSystemValue('debug', false) ? 'true' : 'false',
 			"oc_isadmin" => $this->groupManager->isAdmin($uid) ? 'true' : 'false',
-			"backendAllowsPasswordConfirmation" => !isset($this->excludedUserBackEnds[$userBackend]) ? 'true' : 'false',
+			"backendAllowsPasswordConfirmation" => $userBackendAllowsPasswordConfirmation ? 'true' : 'false',
 			"oc_dataURL" => is_string($dataLocation) ? "\"".$dataLocation."\"" : 'false',
 			"oc_webroot" => "\"".\OC::$WEBROOT."\"",
 			"oc_appswebroots" =>  str_replace('\\/', '/', json_encode($apps_paths)), // Ugly unescape slashes waiting for better solution
-- 
cgit v1.2.3


From 90c4b7db156c9aee6dc543032eabecc0b4364236 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Fri, 2 Nov 2018 13:45:01 +0100
Subject: Bump autoloaders

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/composer/composer/autoload_classmap.php | 1 +
 lib/composer/composer/autoload_static.php   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 53a7c9d3cf7..66aeafc56c5 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -391,6 +391,7 @@ return array(
     'OCP\\User\\Backend\\ICreateUserBackend' => $baseDir . '/lib/public/User/Backend/ICreateUserBackend.php',
     'OCP\\User\\Backend\\IGetDisplayNameBackend' => $baseDir . '/lib/public/User/Backend/IGetDisplayNameBackend.php',
     'OCP\\User\\Backend\\IGetHomeBackend' => $baseDir . '/lib/public/User/Backend/IGetHomeBackend.php',
+    'OCP\\User\\Backend\\IPasswordConfirmationBackend' => $baseDir . '/lib/public/User/Backend/IPasswordConfirmationBackend.php',
     'OCP\\User\\Backend\\IProvideAvatarBackend' => $baseDir . '/lib/public/User/Backend/IProvideAvatarBackend.php',
     'OCP\\User\\Backend\\ISetDisplayNameBackend' => $baseDir . '/lib/public/User/Backend/ISetDisplayNameBackend.php',
     'OCP\\User\\Backend\\ISetPasswordBackend' => $baseDir . '/lib/public/User/Backend/ISetPasswordBackend.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index 6cd39952b1b..f50e6b5beb0 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -421,6 +421,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OCP\\User\\Backend\\ICreateUserBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/ICreateUserBackend.php',
         'OCP\\User\\Backend\\IGetDisplayNameBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/IGetDisplayNameBackend.php',
         'OCP\\User\\Backend\\IGetHomeBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/IGetHomeBackend.php',
+        'OCP\\User\\Backend\\IPasswordConfirmationBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/IPasswordConfirmationBackend.php',
         'OCP\\User\\Backend\\IProvideAvatarBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/IProvideAvatarBackend.php',
         'OCP\\User\\Backend\\ISetDisplayNameBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/ISetDisplayNameBackend.php',
         'OCP\\User\\Backend\\ISetPasswordBackend' => __DIR__ . '/../../..' . '/lib/public/User/Backend/ISetPasswordBackend.php',
-- 
cgit v1.2.3