From dfb4d426c24c8cbb7e207a3dd92b5fcd894a1977 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Wed, 11 May 2016 11:23:25 +0200 Subject: Add two factor auth to core --- .../Exceptions/LoginRequiredException.php | 29 +++++ .../Exceptions/TwoFactorAuthRequiredException.php | 29 +++++ .../Exceptions/UserAlreadyLoggedInException.php | 29 +++++ .../Authentication/TwoFactorAuth/Manager.php | 141 +++++++++++++++++++++ 4 files changed, 228 insertions(+) create mode 100644 lib/private/Authentication/Exceptions/LoginRequiredException.php create mode 100644 lib/private/Authentication/Exceptions/TwoFactorAuthRequiredException.php create mode 100644 lib/private/Authentication/Exceptions/UserAlreadyLoggedInException.php create mode 100644 lib/private/Authentication/TwoFactorAuth/Manager.php (limited to 'lib/private/Authentication') diff --git a/lib/private/Authentication/Exceptions/LoginRequiredException.php b/lib/private/Authentication/Exceptions/LoginRequiredException.php new file mode 100644 index 00000000000..1c388cc1e3f --- /dev/null +++ b/lib/private/Authentication/Exceptions/LoginRequiredException.php @@ -0,0 +1,29 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OC\Authentication\Exceptions; + +use Exception; + +class LoginRequiredException extends Exception { + +} diff --git a/lib/private/Authentication/Exceptions/TwoFactorAuthRequiredException.php b/lib/private/Authentication/Exceptions/TwoFactorAuthRequiredException.php new file mode 100644 index 00000000000..dc9f8937504 --- /dev/null +++ b/lib/private/Authentication/Exceptions/TwoFactorAuthRequiredException.php @@ -0,0 +1,29 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OC\Authentication\Exceptions; + +use Exception; + +class TwoFactorAuthRequiredException extends Exception { + +} diff --git a/lib/private/Authentication/Exceptions/UserAlreadyLoggedInException.php b/lib/private/Authentication/Exceptions/UserAlreadyLoggedInException.php new file mode 100644 index 00000000000..28a46323f02 --- /dev/null +++ b/lib/private/Authentication/Exceptions/UserAlreadyLoggedInException.php @@ -0,0 +1,29 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OC\Authentication\Exceptions; + +use Exception; + +class UserAlreadyLoggedInException extends Exception { + +} diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php new file mode 100644 index 00000000000..2fdadee6d3e --- /dev/null +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -0,0 +1,141 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OC\Authentication\TwoFactorAuth; + +use OC; +use OC\App\AppManager; +use OCP\AppFramework\QueryException; +use OCP\Authentication\TwoFactorAuth\IProvider; +use OCP\ISession; +use OCP\IUser; + +class Manager { + + const SESSION_UID_KEY = 'two_factor_auth_uid'; + + /** @var AppManager */ + private $appManager; + + /** @var ISession */ + private $session; + + /** + * @param AppManager $appManager + * @param ISession $session + */ + public function __construct(AppManager $appManager, ISession $session) { + $this->appManager = $appManager; + $this->session = $session; + } + + /** + * Determine whether the user must provide a second factor challenge + * + * @param IUser $user + * @return boolean + */ + public function isTwoFactorAuthenticated(IUser $user) { + return count($this->getProviders($user)) > 0; + } + + /** + * Get a 2FA provider by its ID + * + * @param IUser $user + * @param string $challengeProviderId + * @return IProvider|null + */ + public function getProvider(IUser $user, $challengeProviderId) { + $providers = $this->getProviders($user); + return isset($providers[$challengeProviderId]) ? $providers[$challengeProviderId] : null; + } + + /** + * Get the list of 2FA providers for the given user + * + * @param IUser $user + * @return IProvider[] + */ + public function getProviders(IUser $user) { + $allApps = $this->appManager->getEnabledAppsForUser($user); + $providers = []; + + foreach ($allApps as $appId) { + $info = $this->appManager->getAppInfo($appId); + $providerClasses = $info['two-factor-providers']; + foreach ($providerClasses as $class) { + try { + $provider = OC::$server->query($class); + $providers[$provider->getId()] = $provider; + } catch (QueryException $exc) { + // Provider class can not be resolved, ignore it + } + } + } + + return array_filter($providers, function ($provider) use ($user) { + /* @var $provider IProvider */ + return $provider->isTwoFactorAuthEnabledForUser($user); + }); + } + + /** + * Verify the given challenge + * + * @param string $providerId + * @param IUser $user + * @param string $challenge + * @return boolean + */ + public function verifyChallenge($providerId, IUser $user, $challenge) { + $provider = $this->getProvider($user, $providerId); + if (is_null($provider)) { + return false; + } + + $result = $provider->verifyChallenge($user, $challenge); + if ($result) { + $this->session->remove(self::SESSION_UID_KEY); + } + return $result; + } + + /** + * Check if the currently logged in user needs to pass 2FA + * + * @return boolean + */ + public function needsSecondFactor() { + return $this->session->exists(self::SESSION_UID_KEY); + } + + /** + * Prepare the 2FA login (set session value) + * + * @param IUser $user + */ + public function prepareTwoFactorLogin(IUser $user) { + $this->session->set(self::SESSION_UID_KEY, $user->getUID()); + } + +} -- cgit v1.2.3