From f98044ddce437eda32f5aa40df505c5bfaf46714 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 10 Mar 2022 15:25:22 +0100 Subject: Trigger an event to log an activity when an administrator generates an app password Signed-off-by: Joas Schilling --- core/Command/User/AddAppPassword.php | 17 +++++++++++------ core/register_command.php | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/core/Command/User/AddAppPassword.php b/core/Command/User/AddAppPassword.php index a29692df045..34c8dc67ccc 100644 --- a/core/Command/User/AddAppPassword.php +++ b/core/Command/User/AddAppPassword.php @@ -23,10 +23,11 @@ */ namespace OC\Core\Command\User; +use OC\Authentication\Events\AppPasswordCreatedEvent; use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IToken; +use OCP\EventDispatcher\IEventDispatcher; use OCP\IUserManager; -use OCP\Security\ICrypto; use OCP\Security\ISecureRandom; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Helper\QuestionHelper; @@ -44,17 +45,17 @@ class AddAppPassword extends Command { protected $tokenProvider; /** @var ISecureRandom */ private $random; - /** @var ICrypto */ - private $crypto; + /** @var IEventDispatcher */ + private $eventDispatcher; public function __construct(IUserManager $userManager, IProvider $tokenProvider, ISecureRandom $random, - ICrypto $crypto) { + IEventDispatcher $eventDispatcher) { $this->tokenProvider = $tokenProvider; $this->userManager = $userManager; $this->random = $random; - $this->crypto = $crypto; + $this->eventDispatcher = $eventDispatcher; parent::__construct(); } @@ -112,7 +113,7 @@ class AddAppPassword extends Command { $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); - $this->tokenProvider->generateToken( + $generatedToken = $this->tokenProvider->generateToken( $token, $user->getUID(), $user->getUID(), @@ -122,6 +123,10 @@ class AddAppPassword extends Command { IToken::DO_NOT_REMEMBER ); + $this->eventDispatcher->dispatchTyped( + new AppPasswordCreatedEvent($generatedToken) + ); + $output->writeln('app password:'); $output->writeln($token); diff --git a/core/register_command.php b/core/register_command.php index c7d3b073b91..5a708510568 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -187,7 +187,7 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\User\Setting(\OC::$server->getUserManager(), \OC::$server->getConfig())); $application->add(new OC\Core\Command\User\ListCommand(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); - $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\Security\ICrypto::class))); + $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class))); $application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager())); $application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager())); -- cgit v1.2.3 From a6882deebc0b4ab3bc181f97e5adb35f1bb4fcd0 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 10 Mar 2022 15:26:47 +0100 Subject: Differenciate the activity depending on admin vs user action Signed-off-by: Joas Schilling --- apps/settings/lib/Activity/Provider.php | 6 +++++- apps/settings/lib/Listener/AppPasswordCreatedActivityListener.php | 8 +++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apps/settings/lib/Activity/Provider.php b/apps/settings/lib/Activity/Provider.php index 2d5c858f5e8..a6314fdfb11 100644 --- a/apps/settings/lib/Activity/Provider.php +++ b/apps/settings/lib/Activity/Provider.php @@ -115,7 +115,11 @@ class Provider implements IProvider { } elseif ($event->getSubject() === self::EMAIL_CHANGED) { $subject = $this->l->t('Your email address was changed by an administrator'); } elseif ($event->getSubject() === self::APP_TOKEN_CREATED) { - $subject = $this->l->t('You created app password "{token}"'); + if ($event->getAffectedUser() === $event->getAuthor()) { + $subject = $this->l->t('You created app password "{token}"'); + } else { + $subject = $this->l->t('An administrator created app password "{token}"'); + } } elseif ($event->getSubject() === self::APP_TOKEN_DELETED) { $subject = $this->l->t('You deleted app password "{token}"'); } elseif ($event->getSubject() === self::APP_TOKEN_RENAMED) { diff --git a/apps/settings/lib/Listener/AppPasswordCreatedActivityListener.php b/apps/settings/lib/Listener/AppPasswordCreatedActivityListener.php index 3eec74f4604..587d626ef97 100644 --- a/apps/settings/lib/Listener/AppPasswordCreatedActivityListener.php +++ b/apps/settings/lib/Listener/AppPasswordCreatedActivityListener.php @@ -31,6 +31,7 @@ use OCA\Settings\Activity\Provider; use OCP\Activity\IManager as IActivityManager; use OCP\EventDispatcher\Event; use OCP\EventDispatcher\IEventListener; +use OCP\IUserSession; use Psr\Log\LoggerInterface; /** @@ -40,12 +41,17 @@ class AppPasswordCreatedActivityListener implements IEventListener { /** @var IActivityManager */ private $activityManager; + /** @var IUserSession */ + private $userSession; + /** @var LoggerInterface */ private $logger; public function __construct(IActivityManager $activityManager, + IUserSession $userSession, LoggerInterface $logger) { $this->activityManager = $activityManager; + $this->userSession = $userSession; $this->logger = $logger; } @@ -58,7 +64,7 @@ class AppPasswordCreatedActivityListener implements IEventListener { $activity->setApp('settings') ->setType('security') ->setAffectedUser($event->getToken()->getUID()) - ->setAuthor($event->getToken()->getUID()) + ->setAuthor($this->userSession->getUser() ? $this->userSession->getUser()->getUID() : '') ->setSubject(Provider::APP_TOKEN_CREATED, ['name' => $event->getToken()->getName()]) ->setObject('app_token', $event->getToken()->getId()); -- cgit v1.2.3 From 50ccf7e2cff8dfe6345d32e5c3b69a544eef52ea Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 10 Mar 2022 15:28:01 +0100 Subject: Validate the password before generating an apptoken Signed-off-by: Joas Schilling --- core/Command/User/AddAppPassword.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/Command/User/AddAppPassword.php b/core/Command/User/AddAppPassword.php index 34c8dc67ccc..4f636c406fb 100644 --- a/core/Command/User/AddAppPassword.php +++ b/core/Command/User/AddAppPassword.php @@ -109,8 +109,10 @@ class AddAppPassword extends Command { return 1; } - $output->writeln('The password is not validated so what you provide is what gets recorded in the token'); - + if (!$this->userManager->checkPassword($user->getUID(), $password)) { + $output->writeln('The provided password is invalid'); + return 1; + } $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $generatedToken = $this->tokenProvider->generateToken( -- cgit v1.2.3