From 7586b19e524761c1e8aab5170375a0d6c9e8f7a2 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Mon, 10 Sep 2018 17:02:37 +0200 Subject: Only allow 2FA state changs if providers support the operation Ref https://github.com/nextcloud/server/issues/11019. Add `twofactorauth:cleanup` command Signed-off-by: Christoph Wurst --- core/Command/TwoFactorAuth/Cleanup.php | 61 ++++++++++++++++++++++++++++++++++ core/Command/TwoFactorAuth/Disable.php | 18 +++++++--- core/Command/TwoFactorAuth/Enable.php | 19 +++++++---- core/Command/TwoFactorAuth/State.php | 8 +++-- 4 files changed, 92 insertions(+), 14 deletions(-) create mode 100644 core/Command/TwoFactorAuth/Cleanup.php (limited to 'core/Command') diff --git a/core/Command/TwoFactorAuth/Cleanup.php b/core/Command/TwoFactorAuth/Cleanup.php new file mode 100644 index 00000000000..b9acc649784 --- /dev/null +++ b/core/Command/TwoFactorAuth/Cleanup.php @@ -0,0 +1,61 @@ + + * + * @author 2018 Christoph Wurst + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OC\Core\Command\TwoFactorAuth; + +use OCP\Authentication\TwoFactorAuth\IRegistry; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class Cleanup extends Base { + + /** @var IRegistry */ + private $registry; + + public function __construct(IRegistry $registry) { + parent::__construct(); + + $this->registry = $registry; + } + + protected function configure() { + parent::configure(); + + $this->setName('twofactorauth:cleanup'); + $this->setDescription('Clean up the two-factor user-provider association of an uninstalled/removed provider'); + $this->addArgument('provider-id', InputArgument::REQUIRED); + } + + protected function execute(InputInterface $input, OutputInterface $output) { + $providerId = $input->getArgument('provider-id'); + + $this->registry->cleanUp($providerId); + + $output->writeln("All user-provider associations for provider $providerId have been removed."); + } + +} diff --git a/core/Command/TwoFactorAuth/Disable.php b/core/Command/TwoFactorAuth/Disable.php index 0564c89017c..fc180e790b1 100644 --- a/core/Command/TwoFactorAuth/Disable.php +++ b/core/Command/TwoFactorAuth/Disable.php @@ -24,6 +24,7 @@ namespace OC\Core\Command\TwoFactorAuth; use OC\Authentication\TwoFactorAuth\Manager; +use OC\Authentication\TwoFactorAuth\ProviderManager; use OCP\IUserManager; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; @@ -31,13 +32,13 @@ use Symfony\Component\Console\Output\OutputInterface; class Disable extends Base { - /** @var Manager */ + /** @var ProviderManager */ private $manager; /** @var IUserManager */ protected $userManager; - public function __construct(Manager $manager, IUserManager $userManager) { + public function __construct(ProviderManager $manager, IUserManager $userManager) { parent::__construct('twofactorauth:disable'); $this->manager = $manager; $this->userManager = $userManager; @@ -49,17 +50,24 @@ class Disable extends Base { $this->setName('twofactorauth:disable'); $this->setDescription('Disable two-factor authentication for a user'); $this->addArgument('uid', InputArgument::REQUIRED); + $this->addArgument('provider_id', InputArgument::REQUIRED); } protected function execute(InputInterface $input, OutputInterface $output) { $uid = $input->getArgument('uid'); + $providerId = $input->getArgument('provider_id'); $user = $this->userManager->get($uid); if (is_null($user)) { $output->writeln("Invalid UID"); - return; + return 1; + } + if ($this->manager->tryDisableProviderFor($providerId, $user)) { + $output->writeln("Two-factor provider $providerId disabled for user $uid."); + return 0; + } else { + $output->writeln("The provider does not support this operation."); + return 2; } - $this->manager->disableTwoFactorAuthentication($user); - $output->writeln("Two-factor authentication disabled for user $uid"); } } diff --git a/core/Command/TwoFactorAuth/Enable.php b/core/Command/TwoFactorAuth/Enable.php index 98e8b178cdb..4a9c12e686d 100644 --- a/core/Command/TwoFactorAuth/Enable.php +++ b/core/Command/TwoFactorAuth/Enable.php @@ -23,7 +23,7 @@ namespace OC\Core\Command\TwoFactorAuth; -use OC\Authentication\TwoFactorAuth\Manager; +use OC\Authentication\TwoFactorAuth\ProviderManager; use OCP\IUserManager; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; @@ -31,13 +31,13 @@ use Symfony\Component\Console\Output\OutputInterface; class Enable extends Base { - /** @var Manager */ + /** @var ProviderManager */ private $manager; /** @var IUserManager */ protected $userManager; - public function __construct(Manager $manager, IUserManager $userManager) { + public function __construct(ProviderManager $manager, IUserManager $userManager) { parent::__construct('twofactorauth:enable'); $this->manager = $manager; $this->userManager = $userManager; @@ -49,17 +49,24 @@ class Enable extends Base { $this->setName('twofactorauth:enable'); $this->setDescription('Enable two-factor authentication for a user'); $this->addArgument('uid', InputArgument::REQUIRED); + $this->addArgument('provider_id', InputArgument::REQUIRED); } protected function execute(InputInterface $input, OutputInterface $output) { $uid = $input->getArgument('uid'); + $providerId = $input->getArgument('provider_id'); $user = $this->userManager->get($uid); if (is_null($user)) { $output->writeln("Invalid UID"); - return; + return 1; + } + if ($this->manager->tryEnableProviderFor($providerId, $user)) { + $output->writeln("Two-factor provider $providerId enabled for user $uid."); + return 0; + } else { + $output->writeln("The provider does not support this operation."); + return 2; } - $this->manager->enableTwoFactorAuthentication($user); - $output->writeln("Two-factor authentication enabled for user $uid"); } } diff --git a/core/Command/TwoFactorAuth/State.php b/core/Command/TwoFactorAuth/State.php index 73e17b4ceb7..66d2b4f3eec 100644 --- a/core/Command/TwoFactorAuth/State.php +++ b/core/Command/TwoFactorAuth/State.php @@ -1,6 +1,6 @@ @@ -57,7 +57,7 @@ class State extends Base { $user = $this->userManager->get($uid); if (is_null($user)) { $output->writeln("Invalid UID"); - return; + return 1; } $providerStates = $this->registry->getProviderStates($user); @@ -73,6 +73,8 @@ class State extends Base { $output->writeln(""); $this->printProviders("Enabled providers", $enabled, $output); $this->printProviders("Disabled providers", $disabled, $output); + + return 0; } private function filterEnabledDisabledUnknownProviders(array $providerStates): array { @@ -91,7 +93,7 @@ class State extends Base { } private function printProviders(string $title, array $providers, - OutputInterface $output) { + OutputInterface $output) { if (empty($providers)) { // Ignore and don't print anything return; -- cgit v1.2.3