nextcloud/core/Controller/AppPasswordController.php

<?php

declare(strict_types=1);

/**
 * @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @author Daniel Kesselberg <mail@danielkesselberg.de>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */

namespace OC\Core\Controller;

use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Token\IProvider;
use OC\Authentication\Token\IToken;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\OCS\OCSForbiddenException;
use OCP\Authentication\Exceptions\CredentialsUnavailableException;
use OCP\Authentication\Exceptions\PasswordUnavailableException;
use OCP\Authentication\LoginCredentials\IStore;
use OCP\IRequest;
use OCP\ISession;
use OCP\Security\ISecureRandom;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\EventDispatcher\GenericEvent;

class AppPasswordController extends \OCP\AppFramework\OCSController {

	/** @var ISession */
	private $session;

	/** @var ISecureRandom */
	private $random;

	/** @var IProvider */
	private $tokenProvider;

	/** @var IStore */
	private $credentialStore;

	/** @var EventDispatcherInterface */
	private $eventDispatcher;

	public function __construct(string $appName,
								IRequest $request,
								ISession $session,
								ISecureRandom $random,
								IProvider $tokenProvider,
								IStore $credentialStore,
								EventDispatcherInterface $eventDispatcher) {
		parent::__construct($appName, $request);

		$this->session = $session;
		$this->random = $random;
		$this->tokenProvider = $tokenProvider;
		$this->credentialStore = $credentialStore;
		$this->eventDispatcher = $eventDispatcher;
	}

	/**
	 * @NoAdminRequired
	 *
	 * @return DataResponse
	 * @throws OCSForbiddenException
	 */
	public function getAppPassword(): DataResponse {
		// We do not allow the creation of new tokens if this is an app password
		if ($this->session->exists('app_password')) {
			throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');
		}

		try {
			$credentials = $this->credentialStore->getLoginCredentials();
		} catch (CredentialsUnavailableException $e) {
			throw new OCSForbiddenException();
		}

		try {
			$password = $credentials->getPassword();
		} catch (PasswordUnavailableException $e) {
			$password = null;
		}

		$userAgent = $this->request->getHeader('USER_AGENT');

		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

		$generatedToken = $this->tokenProvider->generateToken(
			$token,
			$credentials->getUID(),
			$credentials->getLoginName(),
			$password,
			$userAgent,
			IToken::PERMANENT_TOKEN,
			IToken::DO_NOT_REMEMBER
		);

		$event = new GenericEvent($generatedToken);
		$this->eventDispatcher->dispatch('app_password_created', $event);

		return new DataResponse([
			'apppassword' => $token
		]);
	}

	/**
	 * @NoAdminRequired
	 *
	 * @return DataResponse
	 */
	public function deleteAppPassword() {
		if (!$this->session->exists('app_password')) {
			throw new OCSForbiddenException('no app password in use');
		}

		$appPassword = $this->session->get('app_password');

		try {
			$token = $this->tokenProvider->getToken($appPassword);
		} catch (InvalidTokenException $e) {
			throw new OCSForbiddenException('could not remove apptoken');
		}

		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
		return new DataResponse();
	}

	/**
	 * @NoAdminRequired
	 */
	public function rotateAppPassword(): DataResponse {
		if (!$this->session->exists('app_password')) {
			throw new OCSForbiddenException('no app password in use');
		}

		$appPassword = $this->session->get('app_password');

		try {
			$token = $this->tokenProvider->getToken($appPassword);
		} catch (InvalidTokenException $e) {
			throw new OCSForbiddenException('could not rotate apptoken');
		}

		$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
		$this->tokenProvider->rotate($token, $appPassword, $newToken);

		return new DataResponse([
			'apppassword' => $newToken,
		]);
	}
}
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`<?php`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`declare(strict_types=1);`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`/**`
			`* @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00			`* @author Daniel Kesselberg <mail@danielkesselberg.de>`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`*`
			`*/`

			`namespace OC\Core\Controller;`

Allow clients to delete their own apptoken Fixes #15480 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-17 10:51:47 +03:00			`use OC\Authentication\Exceptions\InvalidTokenException;`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`use OC\Authentication\Token\IProvider;`
			`use OC\Authentication\Token\IToken;`
			`use OCP\AppFramework\Http\DataResponse;`
			`use OCP\AppFramework\OCS\OCSForbiddenException;`
			`use OCP\Authentication\Exceptions\CredentialsUnavailableException;`
			`use OCP\Authentication\Exceptions\PasswordUnavailableException;`
			`use OCP\Authentication\LoginCredentials\IStore;`
			`use OCP\IRequest;`
			`use OCP\ISession;`
			`use OCP\Security\ISecureRandom;`
Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 19:38:38 +03:00			`use Symfony\Component\EventDispatcher\EventDispatcherInterface;`
			`use Symfony\Component\EventDispatcher\GenericEvent;`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00
			`class AppPasswordController extends \OCP\AppFramework\OCSController {`

			`/** @var ISession */`
			`private $session;`

			`/** @var ISecureRandom */`
			`private $random;`

			`/** @var IProvider */`
			`private $tokenProvider;`

			`/** @var IStore */`
			`private $credentialStore;`

Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 19:38:38 +03:00			`/** @var EventDispatcherInterface */`
			`private $eventDispatcher;`

Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`public function __construct(string $appName,`
			`IRequest $request,`
			`ISession $session,`
			`ISecureRandom $random,`
			`IProvider $tokenProvider,`
Publish activity for app token created by ocs api Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 00:45:05 +03:00			`IStore $credentialStore,`
Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 19:38:38 +03:00			`EventDispatcherInterface $eventDispatcher) {`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`parent::__construct($appName, $request);`

			`$this->session = $session;`
			`$this->random = $random;`
			`$this->tokenProvider = $tokenProvider;`
			`$this->credentialStore = $credentialStore;`
Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 19:38:38 +03:00			`$this->eventDispatcher = $eventDispatcher;`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`}`

			`/**`
			`* @NoAdminRequired`
			`*`
			`* @return DataResponse`
			`* @throws OCSForbiddenException`
			`*/`
			`public function getAppPassword(): DataResponse {`
			`// We do not allow the creation of new tokens if this is an app password`
			`if ($this->session->exists('app_password')) {`
			`throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');`
			`}`

			`try {`
			`$credentials = $this->credentialStore->getLoginCredentials();`
			`} catch (CredentialsUnavailableException $e) {`
			`throw new OCSForbiddenException();`
			`}`

			`try {`
			`$password = $credentials->getPassword();`
			`} catch (PasswordUnavailableException $e) {`
			`$password = null;`
			`}`

			`$userAgent = $this->request->getHeader('USER_AGENT');`

			`$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);`

Publish activity for app token created by ocs api Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 00:45:05 +03:00			`$generatedToken = $this->tokenProvider->generateToken(`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`$token,`
			`$credentials->getUID(),`
			`$credentials->getLoginName(),`
			`$password,`
			`$userAgent,`
			`IToken::PERMANENT_TOKEN,`
			`IToken::DO_NOT_REMEMBER`
			`);`

Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 19:38:38 +03:00			`$event = new GenericEvent($generatedToken);`
			`$this->eventDispatcher->dispatch('app_password_created', $event);`
Publish activity for app token created by ocs api Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-02-18 00:45:05 +03:00
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`return new DataResponse([`
			`'apppassword' => $token`
			`]);`
			`}`
Allow clients to delete their own apptoken Fixes #15480 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-17 10:51:47 +03:00
			`/**`
			`* @NoAdminRequired`
			`*`
			`* @return DataResponse`
			`*/`
			`public function deleteAppPassword() {`
			`if (!$this->session->exists('app_password')) {`
			`throw new OCSForbiddenException('no app password in use');`
			`}`

			`$appPassword = $this->session->get('app_password');`

			`try {`
			`$token = $this->tokenProvider->getToken($appPassword);`
			`} catch (InvalidTokenException $e) {`
			`throw new OCSForbiddenException('could not remove apptoken');`
			`}`

			`$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());`
			`return new DataResponse();`
			`}`
Allow rotation of apppasswords Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-08-27 14:46:06 +03:00
			`/**`
			`* @NoAdminRequired`
			`*/`
			`public function rotateAppPassword(): DataResponse {`
			`if (!$this->session->exists('app_password')) {`
			`throw new OCSForbiddenException('no app password in use');`
			`}`

			`$appPassword = $this->session->get('app_password');`

			`try {`
			`$token = $this->tokenProvider->getToken($appPassword);`
			`} catch (InvalidTokenException $e) {`
			`throw new OCSForbiddenException('could not rotate apptoken');`
			`}`

			`$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);`
			`$this->tokenProvider->rotate($token, $appPassword, $newToken);`

			`return new DataResponse([`
			`'apppassword' => $newToken,`
			`]);`
			`}`
Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-03 12:48:02 +03:00			`}`