2013-05-29 01:46:57 +04:00
|
|
|
<?php
|
|
|
|
/**
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Bernhard Posselt <dev@bernhard-posselt.com>
|
2016-04-25 15:10:55 +03:00
|
|
|
* @author Christoph Wurst <christoph@owncloud.com>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
|
2016-05-26 20:56:05 +03:00
|
|
|
* @author Lukas Reschke <lukas@statuscode.ch>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Morris Jobke <hey@morrisjobke.de>
|
|
|
|
* @author Robin Appelman <icewind@owncloud.com>
|
2016-01-12 17:02:16 +03:00
|
|
|
* @author Robin McCorkell <robin@mccorkell.me.uk>
|
2015-03-26 13:44:34 +03:00
|
|
|
* @author Thomas Müller <thomas.mueller@tmit.eu>
|
|
|
|
* @author Vincent Petry <pvince81@owncloud.com>
|
|
|
|
*
|
2016-01-12 17:02:16 +03:00
|
|
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
2015-03-26 13:44:34 +03:00
|
|
|
* @license AGPL-3.0
|
|
|
|
*
|
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
* as published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
*
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
2015-02-26 13:37:37 +03:00
|
|
|
|
2013-05-29 01:46:57 +04:00
|
|
|
namespace OC\User;
|
|
|
|
|
2016-04-25 15:10:55 +03:00
|
|
|
use OC;
|
|
|
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
2016-05-31 11:48:14 +03:00
|
|
|
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
2016-06-17 12:01:35 +03:00
|
|
|
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
2016-04-25 15:10:55 +03:00
|
|
|
use OC\Authentication\Token\IProvider;
|
2016-04-27 10:38:30 +03:00
|
|
|
use OC\Authentication\Token\IToken;
|
2013-05-29 01:46:57 +04:00
|
|
|
use OC\Hooks\Emitter;
|
2016-04-25 15:10:55 +03:00
|
|
|
use OC_User;
|
2016-05-02 20:58:19 +03:00
|
|
|
use OC_Util;
|
2016-04-25 15:10:55 +03:00
|
|
|
use OCA\DAV\Connector\Sabre\Auth;
|
2016-05-02 20:58:19 +03:00
|
|
|
use OCP\AppFramework\Utility\ITimeFactory;
|
2016-05-24 15:08:42 +03:00
|
|
|
use OCP\IConfig;
|
2016-04-25 15:10:55 +03:00
|
|
|
use OCP\IRequest;
|
2016-04-07 16:39:34 +03:00
|
|
|
use OCP\ISession;
|
2016-04-25 15:10:55 +03:00
|
|
|
use OCP\IUser;
|
2016-04-07 16:39:34 +03:00
|
|
|
use OCP\IUserManager;
|
2014-07-09 17:32:33 +04:00
|
|
|
use OCP\IUserSession;
|
2016-05-03 17:35:00 +03:00
|
|
|
use OCP\Session\Exceptions\SessionNotAvailableException;
|
2016-05-31 11:48:14 +03:00
|
|
|
use OCP\Util;
|
2013-05-29 01:46:57 +04:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Class Session
|
|
|
|
*
|
|
|
|
* Hooks available in scope \OC\User:
|
|
|
|
* - preSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
|
|
|
|
* - postSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
|
|
|
|
* - preDelete(\OC\User\User $user)
|
|
|
|
* - postDelete(\OC\User\User $user)
|
|
|
|
* - preCreateUser(string $uid, string $password)
|
|
|
|
* - postCreateUser(\OC\User\User $user)
|
|
|
|
* - preLogin(string $user, string $password)
|
2014-05-26 15:53:26 +04:00
|
|
|
* - postLogin(\OC\User\User $user, string $password)
|
|
|
|
* - preRememberedLogin(string $uid)
|
|
|
|
* - postRememberedLogin(\OC\User\User $user)
|
2013-05-29 01:46:57 +04:00
|
|
|
* - logout()
|
|
|
|
*
|
|
|
|
* @package OC\User
|
|
|
|
*/
|
2014-07-09 17:32:33 +04:00
|
|
|
class Session implements IUserSession, Emitter {
|
2016-05-24 15:08:42 +03:00
|
|
|
|
|
|
|
/** @var IUserManager $manager */
|
2013-05-29 01:46:57 +04:00
|
|
|
private $manager;
|
|
|
|
|
2016-05-17 18:20:54 +03:00
|
|
|
/** @var ISession $session */
|
2013-05-29 01:46:57 +04:00
|
|
|
private $session;
|
|
|
|
|
2016-05-17 18:20:54 +03:00
|
|
|
/** @var ITimeFactory */
|
2016-05-02 20:58:19 +03:00
|
|
|
private $timeFacory;
|
|
|
|
|
2016-05-17 18:20:54 +03:00
|
|
|
/** @var IProvider */
|
2016-04-25 15:10:55 +03:00
|
|
|
private $tokenProvider;
|
|
|
|
|
2016-05-24 15:08:42 +03:00
|
|
|
/** @var IConfig */
|
|
|
|
private $config;
|
|
|
|
|
2016-05-17 18:20:54 +03:00
|
|
|
/** @var User $activeUser */
|
2013-05-29 01:46:57 +04:00
|
|
|
protected $activeUser;
|
|
|
|
|
|
|
|
/**
|
2016-04-07 16:39:34 +03:00
|
|
|
* @param IUserManager $manager
|
|
|
|
* @param ISession $session
|
2016-05-06 17:31:40 +03:00
|
|
|
* @param ITimeFactory $timeFacory
|
|
|
|
* @param IProvider $tokenProvider
|
2016-05-24 15:08:42 +03:00
|
|
|
* @param IConfig $config
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
2016-05-24 15:08:42 +03:00
|
|
|
public function __construct(IUserManager $manager, ISession $session, ITimeFactory $timeFacory, $tokenProvider, IConfig $config) {
|
2013-05-29 01:46:57 +04:00
|
|
|
$this->manager = $manager;
|
|
|
|
$this->session = $session;
|
2016-05-02 20:58:19 +03:00
|
|
|
$this->timeFacory = $timeFacory;
|
2016-04-25 15:10:55 +03:00
|
|
|
$this->tokenProvider = $tokenProvider;
|
2016-05-24 15:08:42 +03:00
|
|
|
$this->config = $config;
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
|
2016-04-27 13:01:13 +03:00
|
|
|
/**
|
2016-05-17 18:20:54 +03:00
|
|
|
* @param IProvider $provider
|
2016-04-27 13:01:13 +03:00
|
|
|
*/
|
2016-05-17 18:20:54 +03:00
|
|
|
public function setTokenProvider(IProvider $provider) {
|
2016-04-27 13:01:13 +03:00
|
|
|
$this->tokenProvider = $provider;
|
|
|
|
}
|
|
|
|
|
2013-05-29 01:46:57 +04:00
|
|
|
/**
|
|
|
|
* @param string $scope
|
|
|
|
* @param string $method
|
|
|
|
* @param callable $callback
|
|
|
|
*/
|
2015-05-08 15:27:22 +03:00
|
|
|
public function listen($scope, $method, callable $callback) {
|
2013-05-29 01:46:57 +04:00
|
|
|
$this->manager->listen($scope, $method, $callback);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param string $scope optional
|
|
|
|
* @param string $method optional
|
|
|
|
* @param callable $callback optional
|
|
|
|
*/
|
2016-04-26 12:32:35 +03:00
|
|
|
public function removeListener($scope = null, $method = null, callable $callback = null) {
|
2013-05-29 01:46:57 +04:00
|
|
|
$this->manager->removeListener($scope, $method, $callback);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-06-03 15:33:56 +04:00
|
|
|
* get the manager object
|
|
|
|
*
|
2016-04-25 15:10:55 +03:00
|
|
|
* @return Manager
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
|
|
|
public function getManager() {
|
|
|
|
return $this->manager;
|
|
|
|
}
|
|
|
|
|
2014-07-16 21:40:22 +04:00
|
|
|
/**
|
|
|
|
* get the session object
|
|
|
|
*
|
2016-04-07 16:39:34 +03:00
|
|
|
* @return ISession
|
2014-07-16 21:40:22 +04:00
|
|
|
*/
|
|
|
|
public function getSession() {
|
|
|
|
return $this->session;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* set the session object
|
|
|
|
*
|
2016-04-07 16:39:34 +03:00
|
|
|
* @param ISession $session
|
2014-07-16 21:40:22 +04:00
|
|
|
*/
|
2016-04-07 16:39:34 +03:00
|
|
|
public function setSession(ISession $session) {
|
|
|
|
if ($this->session instanceof ISession) {
|
2014-07-16 21:40:22 +04:00
|
|
|
$this->session->close();
|
|
|
|
}
|
|
|
|
$this->session = $session;
|
2014-10-13 15:11:48 +04:00
|
|
|
$this->activeUser = null;
|
2014-07-16 21:40:22 +04:00
|
|
|
}
|
|
|
|
|
2013-05-29 01:46:57 +04:00
|
|
|
/**
|
|
|
|
* set the currently active user
|
|
|
|
*
|
2016-04-25 15:10:55 +03:00
|
|
|
* @param User|null $user
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
|
|
|
public function setUser($user) {
|
|
|
|
if (is_null($user)) {
|
|
|
|
$this->session->remove('user_id');
|
|
|
|
} else {
|
|
|
|
$this->session->set('user_id', $user->getUID());
|
|
|
|
}
|
|
|
|
$this->activeUser = $user;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* get the current active user
|
|
|
|
*
|
2016-04-25 15:10:55 +03:00
|
|
|
* @return IUser|null Current user, otherwise null
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
|
|
|
public function getUser() {
|
2014-12-17 23:53:43 +03:00
|
|
|
// FIXME: This is a quick'n dirty work-around for the incognito mode as
|
|
|
|
// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
|
2016-04-25 15:10:55 +03:00
|
|
|
if (OC_User::isIncognitoMode()) {
|
2014-12-17 23:53:43 +03:00
|
|
|
return null;
|
|
|
|
}
|
2016-04-28 11:52:28 +03:00
|
|
|
if (is_null($this->activeUser)) {
|
2013-05-29 01:46:57 +04:00
|
|
|
$uid = $this->session->get('user_id');
|
2016-04-28 11:52:28 +03:00
|
|
|
if (is_null($uid)) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
$this->activeUser = $this->manager->get($uid);
|
|
|
|
if (is_null($this->activeUser)) {
|
2013-05-29 01:46:57 +04:00
|
|
|
return null;
|
|
|
|
}
|
2016-06-17 14:59:15 +03:00
|
|
|
$this->validateSession();
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
2016-04-28 11:52:28 +03:00
|
|
|
return $this->activeUser;
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
|
2016-06-17 16:41:32 +03:00
|
|
|
/**
|
|
|
|
* Validate whether the current session is valid
|
|
|
|
*
|
|
|
|
* - For token-authenticated clients, the token validity is checked
|
|
|
|
* - For browsers, the session token validity is checked
|
|
|
|
*/
|
2016-06-17 14:59:15 +03:00
|
|
|
protected function validateSession() {
|
2016-06-17 16:41:32 +03:00
|
|
|
$token = null;
|
|
|
|
$appPassword = $this->session->get('app_password');
|
2016-04-26 12:32:35 +03:00
|
|
|
|
2016-06-17 16:41:32 +03:00
|
|
|
if (is_null($appPassword)) {
|
2016-05-08 20:31:42 +03:00
|
|
|
try {
|
2016-06-17 16:41:32 +03:00
|
|
|
$token = $this->session->getId();
|
|
|
|
} catch (SessionNotAvailableException $ex) {
|
2016-05-06 17:31:40 +03:00
|
|
|
return;
|
2016-04-26 12:32:35 +03:00
|
|
|
}
|
2016-06-17 16:41:32 +03:00
|
|
|
} else {
|
|
|
|
$token = $appPassword;
|
2016-04-26 12:32:35 +03:00
|
|
|
}
|
|
|
|
|
2016-06-17 16:41:32 +03:00
|
|
|
if (!$this->validateToken($token)) {
|
2016-04-28 11:52:28 +03:00
|
|
|
// Session was invalidated
|
2016-04-26 12:32:35 +03:00
|
|
|
$this->logout();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-12-16 21:07:14 +03:00
|
|
|
/**
|
2014-12-19 16:36:00 +03:00
|
|
|
* Checks whether the user is logged in
|
2014-12-16 21:07:14 +03:00
|
|
|
*
|
|
|
|
* @return bool if logged in
|
|
|
|
*/
|
|
|
|
public function isLoggedIn() {
|
2016-04-07 16:39:34 +03:00
|
|
|
$user = $this->getUser();
|
|
|
|
if (is_null($user)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $user->isEnabled();
|
2014-12-16 21:07:14 +03:00
|
|
|
}
|
|
|
|
|
2013-12-11 16:56:45 +04:00
|
|
|
/**
|
|
|
|
* set the login name
|
|
|
|
*
|
2014-05-13 02:27:36 +04:00
|
|
|
* @param string|null $loginName for the logged in user
|
2013-12-11 16:56:45 +04:00
|
|
|
*/
|
2014-01-09 13:27:47 +04:00
|
|
|
public function setLoginName($loginName) {
|
|
|
|
if (is_null($loginName)) {
|
2013-12-11 16:56:45 +04:00
|
|
|
$this->session->remove('loginname');
|
|
|
|
} else {
|
2014-01-09 13:27:47 +04:00
|
|
|
$this->session->set('loginname', $loginName);
|
2013-12-11 16:56:45 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* get the login name of the current user
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
2014-01-09 13:27:47 +04:00
|
|
|
public function getLoginName() {
|
2013-12-11 16:56:45 +04:00
|
|
|
if ($this->activeUser) {
|
|
|
|
return $this->session->get('loginname');
|
|
|
|
} else {
|
|
|
|
$uid = $this->session->get('user_id');
|
|
|
|
if ($uid) {
|
|
|
|
$this->activeUser = $this->manager->get($uid);
|
|
|
|
return $this->session->get('loginname');
|
|
|
|
} else {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-06-03 15:33:56 +04:00
|
|
|
/**
|
2016-05-24 15:08:42 +03:00
|
|
|
* try to log in with the provided credentials
|
2013-06-03 15:33:56 +04:00
|
|
|
*
|
|
|
|
* @param string $uid
|
|
|
|
* @param string $password
|
2014-02-06 19:30:58 +04:00
|
|
|
* @return boolean|null
|
2015-01-22 16:13:17 +03:00
|
|
|
* @throws LoginException
|
2013-06-03 15:33:56 +04:00
|
|
|
*/
|
2013-05-29 01:46:57 +04:00
|
|
|
public function login($uid, $password) {
|
2016-01-04 17:00:58 +03:00
|
|
|
$this->session->regenerateId();
|
2016-06-24 14:57:09 +03:00
|
|
|
if ($this->validateToken($password, $uid)) {
|
2016-05-19 16:52:38 +03:00
|
|
|
// When logging in with token, the password must be decrypted first before passing to login hook
|
|
|
|
try {
|
|
|
|
$token = $this->tokenProvider->getToken($password);
|
2016-05-31 11:48:14 +03:00
|
|
|
try {
|
2016-06-17 14:59:15 +03:00
|
|
|
$loginPassword = $this->tokenProvider->getPassword($token, $password);
|
|
|
|
$this->manager->emit('\OC\User', 'preLogin', array($uid, $loginPassword));
|
2016-05-31 11:48:14 +03:00
|
|
|
} catch (PasswordlessTokenException $ex) {
|
|
|
|
$this->manager->emit('\OC\User', 'preLogin', array($uid, ''));
|
|
|
|
}
|
2016-05-19 16:52:38 +03:00
|
|
|
} catch (InvalidTokenException $ex) {
|
|
|
|
// Invalid token, nothing to do
|
2016-04-27 11:50:17 +03:00
|
|
|
}
|
2016-06-17 14:59:15 +03:00
|
|
|
|
|
|
|
$this->loginWithToken($password);
|
|
|
|
$user = $this->getUser();
|
2016-05-19 16:52:38 +03:00
|
|
|
} else {
|
|
|
|
$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
|
|
|
|
$user = $this->manager->checkPassword($uid, $password);
|
2016-04-27 11:50:17 +03:00
|
|
|
}
|
2014-10-13 15:11:48 +04:00
|
|
|
if ($user !== false) {
|
2013-09-16 16:15:35 +04:00
|
|
|
if (!is_null($user)) {
|
|
|
|
if ($user->isEnabled()) {
|
|
|
|
$this->setUser($user);
|
2014-01-09 13:27:47 +04:00
|
|
|
$this->setLoginName($uid);
|
2013-09-16 16:15:35 +04:00
|
|
|
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
|
2015-01-22 16:13:17 +03:00
|
|
|
if ($this->isLoggedIn()) {
|
2016-04-28 11:52:28 +03:00
|
|
|
$this->prepareUserLogin();
|
2015-01-22 16:13:17 +03:00
|
|
|
return true;
|
|
|
|
} else {
|
2016-04-07 16:39:34 +03:00
|
|
|
// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
|
|
|
|
$message = \OC::$server->getL10N('lib')->t('Login canceled by app');
|
|
|
|
throw new LoginException($message);
|
2015-01-22 16:13:17 +03:00
|
|
|
}
|
2013-09-16 16:15:35 +04:00
|
|
|
} else {
|
2016-04-07 16:39:34 +03:00
|
|
|
// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
|
|
|
|
$message = \OC::$server->getL10N('lib')->t('User disabled');
|
|
|
|
throw new LoginException($message);
|
2013-09-16 16:15:35 +04:00
|
|
|
}
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
}
|
2016-04-07 16:39:34 +03:00
|
|
|
return false;
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
|
2016-05-24 15:08:42 +03:00
|
|
|
/**
|
|
|
|
* Tries to log in a client
|
|
|
|
*
|
|
|
|
* Checks token auth enforced
|
|
|
|
* Checks 2FA enabled
|
|
|
|
*
|
|
|
|
* @param string $user
|
|
|
|
* @param string $password
|
2016-06-13 16:38:34 +03:00
|
|
|
* @param IRequest $request
|
2016-05-24 15:08:42 +03:00
|
|
|
* @throws LoginException
|
2016-06-17 12:01:35 +03:00
|
|
|
* @throws PasswordLoginForbiddenException
|
2016-05-24 15:08:42 +03:00
|
|
|
* @return boolean
|
|
|
|
*/
|
2016-06-13 16:38:34 +03:00
|
|
|
public function logClientIn($user, $password, IRequest $request) {
|
2016-05-24 15:08:42 +03:00
|
|
|
$isTokenPassword = $this->isTokenPassword($password);
|
|
|
|
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
|
2016-06-17 12:01:35 +03:00
|
|
|
throw new PasswordLoginForbiddenException();
|
2016-05-24 15:08:42 +03:00
|
|
|
}
|
|
|
|
if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
|
2016-06-17 12:01:35 +03:00
|
|
|
throw new PasswordLoginForbiddenException();
|
2016-05-24 15:08:42 +03:00
|
|
|
}
|
2016-06-07 14:41:44 +03:00
|
|
|
if (!$this->login($user, $password) ) {
|
|
|
|
$users = $this->manager->getByEmail($user);
|
|
|
|
if (count($users) === 1) {
|
|
|
|
return $this->login($users[0]->getUID(), $password);
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2016-06-13 16:38:34 +03:00
|
|
|
|
2016-06-17 16:41:32 +03:00
|
|
|
if ($isTokenPassword) {
|
|
|
|
$this->session->set('app_password', $password);
|
|
|
|
} else if($this->supportsCookies($request)) {
|
|
|
|
// Password login, but cookies supported -> create (browser) session token
|
2016-06-13 17:00:49 +03:00
|
|
|
$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
|
|
|
|
}
|
2016-06-13 16:38:34 +03:00
|
|
|
|
2016-06-07 14:41:44 +03:00
|
|
|
return true;
|
2016-05-24 15:08:42 +03:00
|
|
|
}
|
|
|
|
|
2016-06-13 17:00:49 +03:00
|
|
|
protected function supportsCookies(IRequest $request) {
|
|
|
|
if (!is_null($request->getCookie('cookie_test'))) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
setcookie('cookie_test', 'test', $this->timeFacory->getTime() + 3600);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-05-24 15:08:42 +03:00
|
|
|
private function isTokenAuthEnforced() {
|
|
|
|
return $this->config->getSystemValue('token_auth_enforced', false);
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function isTwoFactorEnforced($username) {
|
2016-05-31 11:48:14 +03:00
|
|
|
Util::emitHook(
|
2016-05-24 15:08:42 +03:00
|
|
|
'\OCA\Files_Sharing\API\Server2Server',
|
|
|
|
'preLoginNameUsedAsUserName',
|
|
|
|
array('uid' => &$username)
|
|
|
|
);
|
|
|
|
$user = $this->manager->get($username);
|
2016-05-24 17:18:27 +03:00
|
|
|
if (is_null($user)) {
|
2016-06-07 14:41:44 +03:00
|
|
|
$users = $this->manager->getByEmail($username);
|
|
|
|
if (count($users) !== 1) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
$user = $users[0];
|
2016-05-24 17:18:27 +03:00
|
|
|
}
|
2016-05-24 15:08:42 +03:00
|
|
|
// DI not possible due to cyclic dependencies :'-/
|
|
|
|
return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check if the given 'password' is actually a device token
|
|
|
|
*
|
2016-06-07 14:41:44 +03:00
|
|
|
* @param string $password
|
2016-05-24 15:08:42 +03:00
|
|
|
* @return boolean
|
|
|
|
*/
|
|
|
|
public function isTokenPassword($password) {
|
|
|
|
try {
|
|
|
|
$this->tokenProvider->getToken($password);
|
|
|
|
return true;
|
|
|
|
} catch (InvalidTokenException $ex) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-04-28 11:52:28 +03:00
|
|
|
protected function prepareUserLogin() {
|
|
|
|
// TODO: mock/inject/use non-static
|
|
|
|
// Refresh the token
|
|
|
|
\OC::$server->getCsrfTokenManager()->refreshToken();
|
|
|
|
//we need to pass the user name, which may differ from login name
|
|
|
|
$user = $this->getUser()->getUID();
|
2016-05-02 20:58:19 +03:00
|
|
|
OC_Util::setupFS($user);
|
2016-04-28 11:52:28 +03:00
|
|
|
//trigger creation of user home and /files folder
|
|
|
|
\OC::$server->getUserFolder($user);
|
|
|
|
}
|
|
|
|
|
2016-04-25 15:10:55 +03:00
|
|
|
/**
|
|
|
|
* Tries to login the user with HTTP Basic Authentication
|
2016-04-29 15:00:07 +03:00
|
|
|
*
|
2016-05-11 12:23:25 +03:00
|
|
|
* @todo do not allow basic auth if the user is 2FA enforced
|
2016-04-29 15:00:07 +03:00
|
|
|
* @param IRequest $request
|
2016-04-27 10:38:30 +03:00
|
|
|
* @return boolean if the login was successful
|
2016-04-25 15:10:55 +03:00
|
|
|
*/
|
2016-04-29 10:40:33 +03:00
|
|
|
public function tryBasicAuthLogin(IRequest $request) {
|
2016-05-06 17:31:40 +03:00
|
|
|
if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
|
2016-06-17 12:01:35 +03:00
|
|
|
try {
|
|
|
|
if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request)) {
|
|
|
|
/**
|
|
|
|
* Add DAV authenticated. This should in an ideal world not be
|
|
|
|
* necessary but the iOS App reads cookies from anywhere instead
|
|
|
|
* only the DAV endpoint.
|
|
|
|
* This makes sure that the cookies will be valid for the whole scope
|
|
|
|
* @see https://github.com/owncloud/core/issues/22893
|
|
|
|
*/
|
|
|
|
$this->session->set(
|
|
|
|
Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
|
|
|
|
);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
} catch (PasswordLoginForbiddenException $ex) {
|
|
|
|
// Nothing to do
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
|
|
|
}
|
2016-04-27 10:38:30 +03:00
|
|
|
return false;
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
|
|
|
|
2016-06-17 14:59:15 +03:00
|
|
|
private function loginWithToken($token) {
|
|
|
|
try {
|
|
|
|
$dbToken = $this->tokenProvider->getToken($token);
|
|
|
|
} catch (InvalidTokenException $ex) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
$uid = $dbToken->getUID();
|
|
|
|
|
2016-06-20 10:13:47 +03:00
|
|
|
$password = '';
|
2016-06-17 14:59:15 +03:00
|
|
|
try {
|
|
|
|
$password = $this->tokenProvider->getPassword($dbToken, $token);
|
|
|
|
} catch (PasswordlessTokenException $ex) {
|
2016-06-20 10:13:47 +03:00
|
|
|
// Ignore and use empty string instead
|
2016-06-17 14:59:15 +03:00
|
|
|
}
|
2016-06-20 10:13:47 +03:00
|
|
|
$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
|
2016-06-17 14:59:15 +03:00
|
|
|
|
2016-04-25 15:10:55 +03:00
|
|
|
$user = $this->manager->get($uid);
|
|
|
|
if (is_null($user)) {
|
|
|
|
// user does not exist
|
|
|
|
return false;
|
|
|
|
}
|
2016-05-17 11:32:47 +03:00
|
|
|
if (!$user->isEnabled()) {
|
|
|
|
// disabled users can not log in
|
|
|
|
return false;
|
|
|
|
}
|
2016-04-25 15:10:55 +03:00
|
|
|
|
|
|
|
//login
|
|
|
|
$this->setUser($user);
|
2016-06-17 14:59:15 +03:00
|
|
|
|
|
|
|
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
|
2016-04-25 15:10:55 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Create a new session token for the given user credentials
|
|
|
|
*
|
2016-04-27 10:38:30 +03:00
|
|
|
* @param IRequest $request
|
2016-04-25 15:10:55 +03:00
|
|
|
* @param string $uid user UID
|
2016-05-24 11:50:18 +03:00
|
|
|
* @param string $loginName login name
|
2016-04-25 15:10:55 +03:00
|
|
|
* @param string $password
|
|
|
|
* @return boolean
|
|
|
|
*/
|
2016-05-31 11:48:14 +03:00
|
|
|
public function createSessionToken(IRequest $request, $uid, $loginName, $password = null) {
|
2016-04-25 15:10:55 +03:00
|
|
|
if (is_null($this->manager->get($uid))) {
|
|
|
|
// User does not exist
|
|
|
|
return false;
|
|
|
|
}
|
2016-04-26 13:45:08 +03:00
|
|
|
$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
|
2016-06-08 16:03:15 +03:00
|
|
|
try {
|
|
|
|
$sessionId = $this->session->getId();
|
|
|
|
$pwd = $this->getPassword($password);
|
|
|
|
$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name);
|
|
|
|
return true;
|
|
|
|
} catch (SessionNotAvailableException $ex) {
|
|
|
|
// This can happen with OCC, where a memory session is used
|
|
|
|
// if a memory session is used, we shouldn't create a session token anyway
|
|
|
|
return false;
|
|
|
|
}
|
2016-06-03 09:55:00 +03:00
|
|
|
}
|
2016-05-20 18:54:46 +03:00
|
|
|
|
2016-06-03 09:55:00 +03:00
|
|
|
/**
|
|
|
|
* Checks if the given password is a token.
|
|
|
|
* If yes, the password is extracted from the token.
|
|
|
|
* If no, the same password is returned.
|
|
|
|
*
|
|
|
|
* @param string $password either the login password or a device token
|
|
|
|
* @return string|null the password or null if none was set in the token
|
|
|
|
*/
|
|
|
|
private function getPassword($password) {
|
|
|
|
if (is_null($password)) {
|
|
|
|
// This is surely no token ;-)
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
try {
|
|
|
|
$token = $this->tokenProvider->getToken($password);
|
|
|
|
try {
|
|
|
|
return $this->tokenProvider->getPassword($token, $password);
|
|
|
|
} catch (PasswordlessTokenException $ex) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
} catch (InvalidTokenException $ex) {
|
|
|
|
return $password;
|
2016-04-27 13:01:13 +03:00
|
|
|
}
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2016-06-17 14:59:15 +03:00
|
|
|
* @param IToken $dbToken
|
2016-04-25 15:10:55 +03:00
|
|
|
* @param string $token
|
|
|
|
* @return boolean
|
|
|
|
*/
|
2016-06-17 14:59:15 +03:00
|
|
|
private function checkTokenCredentials(IToken $dbToken, $token) {
|
|
|
|
// Check whether login credentials are still valid and the user was not disabled
|
|
|
|
// This check is performed each 5 minutes
|
|
|
|
$lastCheck = $dbToken->getLastCheck() ? : 0;
|
|
|
|
$now = $this->timeFacory->getTime();
|
|
|
|
if ($lastCheck > ($now - 60 * 5)) {
|
|
|
|
// Checked performed recently, nothing to do now
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-05-17 18:20:54 +03:00
|
|
|
try {
|
2016-06-17 14:59:15 +03:00
|
|
|
$pwd = $this->tokenProvider->getPassword($dbToken, $token);
|
2016-05-17 18:20:54 +03:00
|
|
|
} catch (InvalidTokenException $ex) {
|
2016-06-17 14:59:15 +03:00
|
|
|
// An invalid token password was used -> log user out
|
|
|
|
return false;
|
|
|
|
} catch (PasswordlessTokenException $ex) {
|
|
|
|
// Token has no password
|
2016-05-17 18:20:54 +03:00
|
|
|
|
2016-06-17 14:59:15 +03:00
|
|
|
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
|
|
|
|
$this->tokenProvider->invalidateToken($token);
|
|
|
|
return false;
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
2016-06-17 14:59:15 +03:00
|
|
|
|
|
|
|
$dbToken->setLastCheck($now);
|
|
|
|
$this->tokenProvider->updateToken($dbToken);
|
|
|
|
return true;
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
2016-06-17 14:59:15 +03:00
|
|
|
|
|
|
|
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
|
|
|
|
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
|
|
|
|
$this->tokenProvider->invalidateToken($token);
|
|
|
|
// Password has changed or user was disabled -> log user out
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
$dbToken->setLastCheck($now);
|
|
|
|
$this->tokenProvider->updateToken($dbToken);
|
|
|
|
return true;
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
|
|
|
|
2016-04-27 10:38:30 +03:00
|
|
|
/**
|
2016-06-17 14:59:15 +03:00
|
|
|
* Check if the given token exists and performs password/user-enabled checks
|
|
|
|
*
|
|
|
|
* Invalidates the token if checks fail
|
|
|
|
*
|
|
|
|
* @param string $token
|
2016-06-24 14:57:09 +03:00
|
|
|
* @param string $user login name
|
2016-06-17 14:59:15 +03:00
|
|
|
* @return boolean
|
2016-04-27 10:38:30 +03:00
|
|
|
*/
|
2016-06-24 14:57:09 +03:00
|
|
|
private function validateToken($token, $user = null) {
|
2016-06-17 14:59:15 +03:00
|
|
|
try {
|
|
|
|
$dbToken = $this->tokenProvider->getToken($token);
|
2016-05-17 18:20:54 +03:00
|
|
|
} catch (InvalidTokenException $ex) {
|
2016-06-17 14:59:15 +03:00
|
|
|
return false;
|
|
|
|
}
|
2016-05-17 18:20:54 +03:00
|
|
|
|
2016-06-24 14:57:09 +03:00
|
|
|
// Check if login names match
|
|
|
|
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
|
|
|
|
// TODO: this makes it imposssible to use different login names on browser and client
|
|
|
|
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
|
|
|
|
// allow to use the client token with the login name 'user'.
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-06-17 14:59:15 +03:00
|
|
|
if (!$this->checkTokenCredentials($dbToken, $token)) {
|
|
|
|
return false;
|
2016-04-27 10:38:30 +03:00
|
|
|
}
|
2016-06-17 14:59:15 +03:00
|
|
|
|
2016-06-17 16:41:32 +03:00
|
|
|
$this->tokenProvider->updateTokenActivity($dbToken);
|
|
|
|
|
2016-06-17 14:59:15 +03:00
|
|
|
return true;
|
2016-04-27 10:38:30 +03:00
|
|
|
}
|
|
|
|
|
2016-04-25 15:10:55 +03:00
|
|
|
/**
|
|
|
|
* Tries to login the user with auth token header
|
|
|
|
*
|
|
|
|
* @todo check remember me cookie
|
2016-05-09 16:33:56 +03:00
|
|
|
* @return boolean
|
2016-04-25 15:10:55 +03:00
|
|
|
*/
|
2016-04-29 10:40:33 +03:00
|
|
|
public function tryTokenLogin(IRequest $request) {
|
2016-04-25 15:10:55 +03:00
|
|
|
$authHeader = $request->getHeader('Authorization');
|
|
|
|
if (strpos($authHeader, 'token ') === false) {
|
|
|
|
// No auth header, let's try session id
|
2016-05-03 17:35:00 +03:00
|
|
|
try {
|
2016-06-20 11:41:23 +03:00
|
|
|
$token = $this->session->getId();
|
2016-05-03 17:35:00 +03:00
|
|
|
} catch (SessionNotAvailableException $ex) {
|
|
|
|
return false;
|
|
|
|
}
|
2016-04-25 15:10:55 +03:00
|
|
|
} else {
|
|
|
|
$token = substr($authHeader, 6);
|
|
|
|
}
|
2016-06-20 11:41:23 +03:00
|
|
|
|
|
|
|
if (!$this->loginWithToken($token)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if(!$this->validateToken($token)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
2016-04-25 15:10:55 +03:00
|
|
|
}
|
|
|
|
|
2014-05-21 20:03:37 +04:00
|
|
|
/**
|
|
|
|
* perform login using the magic cookie (remember login)
|
|
|
|
*
|
|
|
|
* @param string $uid the username
|
|
|
|
* @param string $currentToken
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function loginWithCookie($uid, $currentToken) {
|
2016-01-04 17:00:58 +03:00
|
|
|
$this->session->regenerateId();
|
2014-05-26 15:53:26 +04:00
|
|
|
$this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
|
2014-05-21 20:03:37 +04:00
|
|
|
$user = $this->manager->get($uid);
|
2014-10-13 15:11:48 +04:00
|
|
|
if (is_null($user)) {
|
2014-05-21 20:03:37 +04:00
|
|
|
// user does not exist
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// get stored tokens
|
2016-04-25 15:10:55 +03:00
|
|
|
$tokens = OC::$server->getConfig()->getUserKeys($uid, 'login_token');
|
2014-05-21 20:03:37 +04:00
|
|
|
// test cookies token against stored tokens
|
2014-10-13 15:11:48 +04:00
|
|
|
if (!in_array($currentToken, $tokens, true)) {
|
2014-05-21 20:03:37 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
// replace successfully used token with a new one
|
2016-04-25 15:10:55 +03:00
|
|
|
OC::$server->getConfig()->deleteUserValue($uid, 'login_token', $currentToken);
|
|
|
|
$newToken = OC::$server->getSecureRandom()->generate(32);
|
|
|
|
OC::$server->getConfig()->setUserValue($uid, 'login_token', $newToken, time());
|
2014-05-21 20:03:37 +04:00
|
|
|
$this->setMagicInCookie($user->getUID(), $newToken);
|
|
|
|
|
|
|
|
//login
|
|
|
|
$this->setUser($user);
|
|
|
|
$this->manager->emit('\OC\User', 'postRememberedLogin', array($user));
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2013-06-03 15:33:56 +04:00
|
|
|
/**
|
|
|
|
* logout the user from the session
|
|
|
|
*/
|
2013-05-29 01:46:57 +04:00
|
|
|
public function logout() {
|
|
|
|
$this->manager->emit('\OC\User', 'logout');
|
2016-04-25 17:40:41 +03:00
|
|
|
$user = $this->getUser();
|
|
|
|
if (!is_null($user)) {
|
2016-05-03 17:35:00 +03:00
|
|
|
try {
|
|
|
|
$this->tokenProvider->invalidateToken($this->session->getId());
|
|
|
|
} catch (SessionNotAvailableException $ex) {
|
|
|
|
|
|
|
|
}
|
2016-04-25 17:40:41 +03:00
|
|
|
}
|
2013-05-29 01:46:57 +04:00
|
|
|
$this->setUser(null);
|
2014-01-09 13:27:47 +04:00
|
|
|
$this->setLoginName(null);
|
2013-05-29 01:46:57 +04:00
|
|
|
$this->unsetMagicInCookie();
|
2014-10-30 14:10:39 +03:00
|
|
|
$this->session->clear();
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set cookie value to use in next page load
|
|
|
|
*
|
|
|
|
* @param string $username username to be set
|
|
|
|
* @param string $token
|
|
|
|
*/
|
|
|
|
public function setMagicInCookie($username, $token) {
|
2016-04-25 15:10:55 +03:00
|
|
|
$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
|
|
|
|
$expires = time() + OC::$server->getConfig()->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
|
2016-05-06 17:31:40 +03:00
|
|
|
setcookie('oc_username', $username, $expires, OC::$WEBROOT, '', $secureCookie, true);
|
|
|
|
setcookie('oc_token', $token, $expires, OC::$WEBROOT, '', $secureCookie, true);
|
|
|
|
setcookie('oc_remember_login', '1', $expires, OC::$WEBROOT, '', $secureCookie, true);
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2013-06-03 15:33:56 +04:00
|
|
|
* Remove cookie for "remember username"
|
2013-05-29 01:46:57 +04:00
|
|
|
*/
|
|
|
|
public function unsetMagicInCookie() {
|
2015-08-26 15:29:36 +03:00
|
|
|
//TODO: DI for cookies and IRequest
|
2016-04-25 15:10:55 +03:00
|
|
|
$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
|
2015-01-14 13:20:53 +03:00
|
|
|
|
2016-05-06 17:31:40 +03:00
|
|
|
unset($_COOKIE['oc_username']); //TODO: DI
|
|
|
|
unset($_COOKIE['oc_token']);
|
|
|
|
unset($_COOKIE['oc_remember_login']);
|
2016-04-25 15:10:55 +03:00
|
|
|
setcookie('oc_username', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
|
|
|
|
setcookie('oc_token', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
|
|
|
|
setcookie('oc_remember_login', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
|
2013-11-07 21:40:15 +04:00
|
|
|
// old cookies might be stored under /webroot/ instead of /webroot
|
|
|
|
// and Firefox doesn't like it!
|
2016-04-25 15:10:55 +03:00
|
|
|
setcookie('oc_username', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
|
|
|
|
setcookie('oc_token', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
|
|
|
|
setcookie('oc_remember_login', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|
2016-04-25 15:10:55 +03:00
|
|
|
|
2016-06-21 11:23:50 +03:00
|
|
|
/**
|
|
|
|
* Update password of the browser session token if there is one
|
|
|
|
*
|
|
|
|
* @param string $password
|
|
|
|
*/
|
|
|
|
public function updateSessionTokenPassword($password) {
|
|
|
|
try {
|
|
|
|
$sessionId = $this->session->getId();
|
|
|
|
$token = $this->tokenProvider->getToken($sessionId);
|
|
|
|
$this->tokenProvider->setPassword($token, $sessionId, $password);
|
|
|
|
} catch (SessionNotAvailableException $ex) {
|
|
|
|
// Nothing to do
|
|
|
|
} catch (InvalidTokenException $ex) {
|
|
|
|
// Nothing to do
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-05-29 01:46:57 +04:00
|
|
|
}
|