Merge pull request #11143 from nextcloud/feature/2fa-occ-revamp

[Mandatory 2FA] occ commands revamp
This commit is contained in:
Roeland Jago Douma 2018-09-25 16:06:30 +02:00 committed by GitHub
commit 548f4e9a27
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 752 additions and 178 deletions

View File

@ -0,0 +1,61 @@
<?php
declare(strict_types = 1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Core\Command\TwoFactorAuth;
use OCP\Authentication\TwoFactorAuth\IRegistry;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class Cleanup extends Base {
/** @var IRegistry */
private $registry;
public function __construct(IRegistry $registry) {
parent::__construct();
$this->registry = $registry;
}
protected function configure() {
parent::configure();
$this->setName('twofactorauth:cleanup');
$this->setDescription('Clean up the two-factor user-provider association of an uninstalled/removed provider');
$this->addArgument('provider-id', InputArgument::REQUIRED);
}
protected function execute(InputInterface $input, OutputInterface $output) {
$providerId = $input->getArgument('provider-id');
$this->registry->cleanUp($providerId);
$output->writeln("<info>All user-provider associations for provider <options=bold>$providerId</> have been removed.</info>");
}
}

View File

@ -24,6 +24,7 @@
namespace OC\Core\Command\TwoFactorAuth;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Authentication\TwoFactorAuth\ProviderManager;
use OCP\IUserManager;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
@ -31,13 +32,13 @@ use Symfony\Component\Console\Output\OutputInterface;
class Disable extends Base {
/** @var Manager */
/** @var ProviderManager */
private $manager;
/** @var IUserManager */
protected $userManager;
public function __construct(Manager $manager, IUserManager $userManager) {
public function __construct(ProviderManager $manager, IUserManager $userManager) {
parent::__construct('twofactorauth:disable');
$this->manager = $manager;
$this->userManager = $userManager;
@ -49,17 +50,24 @@ class Disable extends Base {
$this->setName('twofactorauth:disable');
$this->setDescription('Disable two-factor authentication for a user');
$this->addArgument('uid', InputArgument::REQUIRED);
$this->addArgument('provider_id', InputArgument::REQUIRED);
}
protected function execute(InputInterface $input, OutputInterface $output) {
$uid = $input->getArgument('uid');
$providerId = $input->getArgument('provider_id');
$user = $this->userManager->get($uid);
if (is_null($user)) {
$output->writeln("<error>Invalid UID</error>");
return;
return 1;
}
if ($this->manager->tryDisableProviderFor($providerId, $user)) {
$output->writeln("Two-factor provider <options=bold>$providerId</> disabled for user <options=bold>$uid</>.");
return 0;
} else {
$output->writeln("<error>The provider does not support this operation.</error>");
return 2;
}
$this->manager->disableTwoFactorAuthentication($user);
$output->writeln("Two-factor authentication disabled for user $uid");
}
}

View File

@ -23,7 +23,7 @@
namespace OC\Core\Command\TwoFactorAuth;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Authentication\TwoFactorAuth\ProviderManager;
use OCP\IUserManager;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
@ -31,13 +31,13 @@ use Symfony\Component\Console\Output\OutputInterface;
class Enable extends Base {
/** @var Manager */
/** @var ProviderManager */
private $manager;
/** @var IUserManager */
protected $userManager;
public function __construct(Manager $manager, IUserManager $userManager) {
public function __construct(ProviderManager $manager, IUserManager $userManager) {
parent::__construct('twofactorauth:enable');
$this->manager = $manager;
$this->userManager = $userManager;
@ -49,17 +49,24 @@ class Enable extends Base {
$this->setName('twofactorauth:enable');
$this->setDescription('Enable two-factor authentication for a user');
$this->addArgument('uid', InputArgument::REQUIRED);
$this->addArgument('provider_id', InputArgument::REQUIRED);
}
protected function execute(InputInterface $input, OutputInterface $output) {
$uid = $input->getArgument('uid');
$providerId = $input->getArgument('provider_id');
$user = $this->userManager->get($uid);
if (is_null($user)) {
$output->writeln("<error>Invalid UID</error>");
return;
return 1;
}
if ($this->manager->tryEnableProviderFor($providerId, $user)) {
$output->writeln("Two-factor provider <options=bold>$providerId</> enabled for user <options=bold>$uid</>.");
return 0;
} else {
$output->writeln("<error>The provider does not support this operation.</error>");
return 2;
}
$this->manager->enableTwoFactorAuthentication($user);
$output->writeln("Two-factor authentication enabled for user $uid");
}
}

View File

@ -1,6 +1,6 @@
<?php
declare(strict_types = 1);
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
@ -57,7 +57,7 @@ class State extends Base {
$user = $this->userManager->get($uid);
if (is_null($user)) {
$output->writeln("<error>Invalid UID</error>");
return;
return 1;
}
$providerStates = $this->registry->getProviderStates($user);
@ -73,6 +73,8 @@ class State extends Base {
$output->writeln("");
$this->printProviders("Enabled providers", $enabled, $output);
$this->printProviders("Disabled providers", $disabled, $output);
return 0;
}
private function filterEnabledDisabledUnknownProviders(array $providerStates): array {
@ -91,7 +93,7 @@ class State extends Base {
}
private function printProviders(string $title, array $providers,
OutputInterface $output) {
OutputInterface $output) {
if (empty($providers)) {
// Ignore and don't print anything
return;

View File

@ -66,12 +66,9 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) {
$application->add(new OC\Core\Command\App\GetPath());
$application->add(new OC\Core\Command\App\ListApps(\OC::$server->getAppManager()));
$application->add(new OC\Core\Command\TwoFactorAuth\Enable(
\OC::$server->getTwoFactorAuthManager(), \OC::$server->getUserManager()
));
$application->add(new OC\Core\Command\TwoFactorAuth\Disable(
\OC::$server->getTwoFactorAuthManager(), \OC::$server->getUserManager()
));
$application->add(\OC::$server->query(\OC\Core\Command\TwoFactorAuth\Cleanup::class));
$application->add(\OC::$server->query(\OC\Core\Command\TwoFactorAuth\Enable::class));
$application->add(\OC::$server->query(\OC\Core\Command\TwoFactorAuth\Disable::class));
$application->add(\OC::$server->query(\OC\Core\Command\TwoFactorAuth\State::class));
$application->add(new OC\Core\Command\Background\Cron(\OC::$server->getConfig()));

View File

@ -434,6 +434,7 @@ return array(
'OC\\Archive\\Archive' => $baseDir . '/lib/private/Archive/Archive.php',
'OC\\Archive\\TAR' => $baseDir . '/lib/private/Archive/TAR.php',
'OC\\Archive\\ZIP' => $baseDir . '/lib/private/Archive/ZIP.php',
'OC\\Authentication\\Exceptions\\InvalidProviderException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidProviderException.php',
'OC\\Authentication\\Exceptions\\InvalidTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
'OC\\Authentication\\Exceptions\\LoginRequiredException' => $baseDir . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => $baseDir . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
@ -456,6 +457,7 @@ return array(
'OC\\Authentication\\TwoFactorAuth\\Db\\ProviderUserAssignmentDao' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php',
'OC\\Authentication\\TwoFactorAuth\\Manager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderLoader' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderManager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/ProviderManager.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderSet' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/ProviderSet.php',
'OC\\Authentication\\TwoFactorAuth\\Registry' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Registry.php',
'OC\\Avatar' => $baseDir . '/lib/private/Avatar.php',
@ -571,6 +573,7 @@ return array(
'OC\\Core\\Command\\Security\\RemoveCertificate' => $baseDir . '/core/Command/Security/RemoveCertificate.php',
'OC\\Core\\Command\\Status' => $baseDir . '/core/Command/Status.php',
'OC\\Core\\Command\\TwoFactorAuth\\Base' => $baseDir . '/core/Command/TwoFactorAuth/Base.php',
'OC\\Core\\Command\\TwoFactorAuth\\Cleanup' => $baseDir . '/core/Command/TwoFactorAuth/Cleanup.php',
'OC\\Core\\Command\\TwoFactorAuth\\Disable' => $baseDir . '/core/Command/TwoFactorAuth/Disable.php',
'OC\\Core\\Command\\TwoFactorAuth\\Enable' => $baseDir . '/core/Command/TwoFactorAuth/Enable.php',
'OC\\Core\\Command\\TwoFactorAuth\\State' => $baseDir . '/core/Command/TwoFactorAuth/State.php',

View File

@ -464,6 +464,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Archive\\Archive' => __DIR__ . '/../../..' . '/lib/private/Archive/Archive.php',
'OC\\Archive\\TAR' => __DIR__ . '/../../..' . '/lib/private/Archive/TAR.php',
'OC\\Archive\\ZIP' => __DIR__ . '/../../..' . '/lib/private/Archive/ZIP.php',
'OC\\Authentication\\Exceptions\\InvalidProviderException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidProviderException.php',
'OC\\Authentication\\Exceptions\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
'OC\\Authentication\\Exceptions\\LoginRequiredException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
@ -486,6 +487,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Authentication\\TwoFactorAuth\\Db\\ProviderUserAssignmentDao' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php',
'OC\\Authentication\\TwoFactorAuth\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderLoader' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderManager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/ProviderManager.php',
'OC\\Authentication\\TwoFactorAuth\\ProviderSet' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/ProviderSet.php',
'OC\\Authentication\\TwoFactorAuth\\Registry' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Registry.php',
'OC\\Avatar' => __DIR__ . '/../../..' . '/lib/private/Avatar.php',
@ -601,6 +603,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Core\\Command\\Security\\RemoveCertificate' => __DIR__ . '/../../..' . '/core/Command/Security/RemoveCertificate.php',
'OC\\Core\\Command\\Status' => __DIR__ . '/../../..' . '/core/Command/Status.php',
'OC\\Core\\Command\\TwoFactorAuth\\Base' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Base.php',
'OC\\Core\\Command\\TwoFactorAuth\\Cleanup' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Cleanup.php',
'OC\\Core\\Command\\TwoFactorAuth\\Disable' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Disable.php',
'OC\\Core\\Command\\TwoFactorAuth\\Enable' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Enable.php',
'OC\\Core\\Command\\TwoFactorAuth\\State' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/State.php',

View File

@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Authentication\Exceptions;
use Exception;
use Throwable;
class InvalidProviderException extends Exception {
public function __construct(string $providerId, Throwable $previous = null) {
parent::__construct("The provider '$providerId' does not exist'", 0, $previous);
}
}

View File

@ -93,4 +93,13 @@ class ProviderUserAssignmentDao {
}
public function deleteAll(string $providerId) {
$qb = $this->conn->getQueryBuilder();
$deleteQuery = $qb->delete(self::TABLE_NAME)
->where($qb->expr()->eq('provider_id', $qb->createNamedParameter($providerId)));
$deleteQuery->execute();
}
}

View File

@ -100,12 +100,6 @@ class Manager {
* @return boolean
*/
public function isTwoFactorAuthenticated(IUser $user): bool {
$twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0;
if (!$twoFactorEnabled) {
return false;
}
$providerStates = $this->providerRegistry->getProviderStates($user);
$providers = $this->providerLoader->getProviders($user);
$fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
@ -113,25 +107,7 @@ class Manager {
$providerIds = array_keys($enabled);
$providerIdsWithoutBackupCodes = array_diff($providerIds, [self::BACKUP_CODES_PROVIDER_ID]);
return $twoFactorEnabled && !empty($providerIdsWithoutBackupCodes);
}
/**
* Disable 2FA checks for the given user
*
* @param IUser $user
*/
public function disableTwoFactorAuthentication(IUser $user) {
$this->config->setUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 1);
}
/**
* Enable all 2FA checks for the given user
*
* @param IUser $user
*/
public function enableTwoFactorAuthentication(IUser $user) {
$this->config->deleteUserValue($user->getUID(), 'core', 'two_factor_auth_disabled');
return !empty($providerIdsWithoutBackupCodes);
}
/**

View File

@ -0,0 +1,98 @@
<?php
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Authentication\TwoFactorAuth;
use OC\Authentication\Exceptions\InvalidProviderException;
use OCP\Authentication\TwoFactorAuth\IActivatableByAdmin;
use OCP\Authentication\TwoFactorAuth\IDeactivableByAdmin;
use OCP\Authentication\TwoFactorAuth\IDeactivatableByAdmin;
use OCP\Authentication\TwoFactorAuth\IProvider;
use OCP\Authentication\TwoFactorAuth\IRegistry;
use OCP\IUser;
class ProviderManager {
/** @var ProviderLoader */
private $providerLoader;
/** @var IRegistry */
private $providerRegistry;
public function __construct(ProviderLoader $providerLoader, IRegistry $providerRegistry) {
$this->providerLoader = $providerLoader;
$this->providerRegistry = $providerRegistry;
}
private function getProvider(string $providerId, IUser $user): IProvider {
$providers = $this->providerLoader->getProviders($user);
if (!isset($providers[$providerId])) {
throw new InvalidProviderException($providerId);
}
return $providers[$providerId];
}
/**
* Try to enable the provider with the given id for the given user
*
* @param IUser $user
*
* @return bool whether the provider supports this operation
*/
public function tryEnableProviderFor(string $providerId, IUser $user): bool {
$provider = $this->getProvider($providerId, $user);
if ($provider instanceof IActivatableByAdmin) {
$provider->enableFor($user);
$this->providerRegistry->enableProviderFor($provider, $user);
return true;
} else {
return false;
}
}
/**
* Try to disable the provider with the given id for the given user
*
* @param IUser $user
*
* @return bool whether the provider supports this operation
*/
public function tryDisableProviderFor(string $providerId, IUser $user): bool {
$provider = $this->getProvider($providerId, $user);
if ($provider instanceof IDeactivatableByAdmin) {
$provider->disableFor($user);
$this->providerRegistry->disableProviderFor($provider, $user);
return true;
} else {
return false;
}
}
}

View File

@ -52,4 +52,7 @@ class Registry implements IRegistry {
$this->assignmentDao->persist($provider->getId(), $user->getUID(), 0);
}
public function cleanUp(string $providerId) {
$this->assignmentDao->deleteAll($providerId);
}
}

View File

@ -62,4 +62,19 @@ interface IRegistry {
* @since 14.0.0
*/
public function disableProviderFor(IProvider $provider, IUser $user);
/**
* Cleans up all entries of the provider with the given id. This is only
* necessary in edge-cases where an admin disabled and/or uninstalled a
* provider app. Invoking this method will make sure outdated provider
* associations are removed so that users can log in.
*
* @since 15.0.0
*
* @param string $providerId
*
* @return void
*/
public function cleanUp(string $providerId);
}

View File

@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Core\Command\TwoFactorAuth;
use OC\Core\Command\TwoFactorAuth\Cleanup;
use OCP\Authentication\TwoFactorAuth\IRegistry;
use PHPUnit\Framework\MockObject\MockObject;
use Symfony\Component\Console\Tester\CommandTester;
use Test\TestCase;
class CleanupTest extends TestCase {
/** @var IRegistry|MockObject */
private $registry;
/** @var CommandTester */
private $cmd;
protected function setUp() {
parent::setUp();
$this->registry = $this->createMock(IRegistry::class);
$cmd = new Cleanup($this->registry);
$this->cmd = new CommandTester($cmd);
}
public function testCleanup() {
$this->registry->expects($this->once())
->method('cleanUp')
->with('u2f');
$rc = $this->cmd->execute([
'provider-id' => 'u2f',
]);
$this->assertEquals(0, $rc);
$output = $this->cmd->getDisplay();
$this->assertContains("All user-provider associations for provider u2f have been removed", $output);
}
}

View File

@ -1,8 +1,11 @@
<?php
declare(strict_types=1);
/**
* @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl>
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
@ -20,80 +23,90 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Core\Command\TwoFactorAuth;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Authentication\TwoFactorAuth\ProviderManager;
use OC\Core\Command\TwoFactorAuth\Disable;
use OCP\IUser;
use OCP\IUserManager;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use PHPUnit\Framework\MockObject\MockObject;
use Symfony\Component\Console\Tester\CommandTester;
use Test\TestCase;
class DisableTest extends TestCase {
/** @var Manager|\PHPUnit_Framework_MockObject_MockObject */
private $manager;
/** @var ProviderManager|MockObject */
private $providerManager;
/** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */
/** @var IUserManager|MockObject */
private $userManager;
/** @var Disable */
/** @var CommandTester */
private $command;
public function setUp() {
parent::setUp();
$this->manager = $this->createMock(Manager::class);
$this->providerManager = $this->createMock(ProviderManager::class);
$this->userManager = $this->createMock(IUserManager::class);
$this->command = new Disable($this->manager, $this->userManager);
$cmd = new Disable($this->providerManager, $this->userManager);
$this->command = new CommandTester($cmd);
}
public function testDisableSuccess() {
$user = $this->createMock(IUser::class);
$input = $this->createMock(InputInterface::class);
$output = $this->createMock(OutputInterface::class);
$input->method('getArgument')
->with($this->equalTo('uid'))
->willReturn('user');
$this->userManager->method('get')
->with('user')
->willReturn($user);
$this->manager->expects($this->once())
->method('disableTwoFactorAuthentication')
->with($this->equalTo($user));
$output->expects($this->once())
->method('writeln')
->with('Two-factor authentication disabled for user user');
$this->invokePrivate($this->command, 'execute', [$input, $output]);
}
public function testEnableFail() {
$input = $this->createMock(InputInterface::class);
$output = $this->createMock(OutputInterface::class);
$input->method('getArgument')
->with($this->equalTo('uid'))
->willReturn('user');
$this->userManager->method('get')
->with('user')
public function testInvalidUID() {
$this->userManager->expects($this->once())
->method('get')
->with('nope')
->willReturn(null);
$this->manager->expects($this->never())
->method($this->anything());
$rc = $this->command->execute([
'uid' => 'nope',
'provider_id' => 'nope',
]);
$output->expects($this->once())
->method('writeln')
->with('<error>Invalid UID</error>');
$this->assertEquals(1, $rc);
$this->assertContains("Invalid UID", $this->command->getDisplay());
}
$this->invokePrivate($this->command, 'execute', [$input, $output]);
public function testEnableNotSupported() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('ricky')
->willReturn($user);
$this->providerManager->expects($this->once())
->method('tryDisableProviderFor')
->with('totp', $user)
->willReturn(false);
$rc = $this->command->execute([
'uid' => 'ricky',
'provider_id' => 'totp',
]);
$this->assertEquals(2, $rc);
$this->assertContains("The provider does not support this operation", $this->command->getDisplay());
}
public function testEnabled() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('ricky')
->willReturn($user);
$this->providerManager->expects($this->once())
->method('tryDisableProviderFor')
->with('totp', $user)
->willReturn(true);
$rc = $this->command->execute([
'uid' => 'ricky',
'provider_id' => 'totp',
]);
$this->assertEquals(0, $rc);
$this->assertContains("Two-factor provider totp disabled for user ricky", $this->command->getDisplay());
}
}

View File

@ -1,8 +1,11 @@
<?php
declare(strict_types=1);
/**
* @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl>
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
@ -20,80 +23,91 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Core\Command\TwoFactorAuth;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Authentication\TwoFactorAuth\ProviderManager;
use OC\Core\Command\TwoFactorAuth\Enable;
use OCP\IUser;
use OCP\IUserManager;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use PHPUnit\Framework\MockObject\MockObject;
use Symfony\Component\Console\Tester\CommandTester;
use Test\TestCase;
class EnableTest extends TestCase {
/** @var Manager|\PHPUnit_Framework_MockObject_MockObject */
private $manager;
/** @var ProviderManager|MockObject */
private $providerManager;
/** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */
/** @var IUserManager|MockObject */
private $userManager;
/** @var Enable */
/** @var CommandTester */
private $command;
public function setUp() {
parent::setUp();
$this->manager = $this->createMock(Manager::class);
$this->providerManager = $this->createMock(ProviderManager::class);
$this->userManager = $this->createMock(IUserManager::class);
$this->command = new Enable($this->manager, $this->userManager);
$cmd = new Enable($this->providerManager, $this->userManager);
$this->command = new CommandTester($cmd);
}
public function testEnableSuccess() {
$user = $this->createMock(IUser::class);
$input = $this->createMock(InputInterface::class);
$output = $this->createMock(OutputInterface::class);
$input->method('getArgument')
->with($this->equalTo('uid'))
->willReturn('user');
$this->userManager->method('get')
->with('user')
->willReturn($user);
$this->manager->expects($this->once())
->method('enableTwoFactorAuthentication')
->with($this->equalTo($user));
$output->expects($this->once())
->method('writeln')
->with('Two-factor authentication enabled for user user');
$this->invokePrivate($this->command, 'execute', [$input, $output]);
}
public function testEnableFail() {
$input = $this->createMock(InputInterface::class);
$output = $this->createMock(OutputInterface::class);
$input->method('getArgument')
->with($this->equalTo('uid'))
->willReturn('user');
$this->userManager->method('get')
->with('user')
public function testInvalidUID() {
$this->userManager->expects($this->once())
->method('get')
->with('nope')
->willReturn(null);
$this->manager->expects($this->never())
->method($this->anything());
$rc = $this->command->execute([
'uid' => 'nope',
'provider_id' => 'nope',
]);
$output->expects($this->once())
->method('writeln')
->with('<error>Invalid UID</error>');
$this->invokePrivate($this->command, 'execute', [$input, $output]);
$this->assertEquals(1, $rc);
$this->assertContains("Invalid UID", $this->command->getDisplay());
}
public function testEnableNotSupported() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('belle')
->willReturn($user);
$this->providerManager->expects($this->once())
->method('tryEnableProviderFor')
->with('totp', $user)
->willReturn(false);
$rc = $this->command->execute([
'uid' => 'belle',
'provider_id' => 'totp',
]);
$this->assertEquals(2, $rc);
$this->assertContains("The provider does not support this operation", $this->command->getDisplay());
}
public function testEnabled() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('belle')
->willReturn($user);
$this->providerManager->expects($this->once())
->method('tryEnableProviderFor')
->with('totp', $user)
->willReturn(true);
$rc = $this->command->execute([
'uid' => 'belle',
'provider_id' => 'totp',
]);
$this->assertEquals(0, $rc);
$this->assertContains("Two-factor provider totp enabled for user belle", $this->command->getDisplay());
}
}

View File

@ -0,0 +1,113 @@
<?php
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Core\Command\TwoFactorAuth;
use OC\Core\Command\TwoFactorAuth\State;
use OCP\Authentication\TwoFactorAuth\IRegistry;
use OCP\IUser;
use OCP\IUserManager;
use PHPUnit\Framework\MockObject\MockObject;
use Symfony\Component\Console\Tester\CommandTester;
use Test\TestCase;
class StateTest extends TestCase {
/** @var IRegistry|MockObject */
private $registry;
/** @var IUserManager|MockObject */
private $userManager;
/** @var CommandTester|MockObject */
private $cmd;
protected function setUp() {
parent::setUp();
$this->registry = $this->createMock(IRegistry::class);
$this->userManager = $this->createMock(IUserManager::class);
$cmd = new State($this->registry, $this->userManager);
$this->cmd = new CommandTester($cmd);
}
public function testWrongUID() {
$this->cmd->execute([
'uid' => 'nope',
]);
$output = $this->cmd->getDisplay();
$this->assertContains("Invalid UID", $output);
}
public function testStateNoProvidersActive() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('eldora')
->willReturn($user);
$states = [
'u2f' => false,
'totp' => false,
];
$this->registry->expects($this->once())
->method('getProviderStates')
->with($user)
->willReturn($states);
$this->cmd->execute([
'uid' => 'eldora',
]);
$output = $this->cmd->getDisplay();
$this->assertContains("Two-factor authentication is not enabled for user eldora", $output);
}
public function testStateOneProviderActive() {
$user = $this->createMock(IUser::class);
$this->userManager->expects($this->once())
->method('get')
->with('mohamed')
->willReturn($user);
$states = [
'u2f' => true,
'totp' => false,
];
$this->registry->expects($this->once())
->method('getProviderStates')
->with($user)
->willReturn($states);
$this->cmd->execute([
'uid' => 'mohamed',
]);
$output = $this->cmd->getDisplay();
$this->assertContains("Two-factor authentication is enabled for user mohamed", $output);
}
}

View File

@ -131,4 +131,18 @@ class ProviderUserAssignmentDaoTest extends TestCase {
$this->assertCount(1, $data);
}
public function testDeleteAll() {
$this->dao->persist('twofactor_fail', 'user1', 1);
$this->dao->persist('twofactor_u2f', 'user1', 1);
$this->dao->persist('twofactor_fail', 'user2', 0);
$this->dao->persist('twofactor_u2f', 'user1', 0);
$this->dao->deleteAll('twofactor_fail');
$statesUser1 = $this->dao->getState('user1');
$statesUser2 = $this->dao->getState('user2');
$this->assertCount(1, $statesUser1);
$this->assertCount(0, $statesUser2);
}
}

View File

@ -143,13 +143,6 @@ class ManagerTest extends TestCase {
}
public function testIsTwoFactorAuthenticatedNoProviders() {
$this->user->expects($this->once())
->method('getUID')
->will($this->returnValue('user123'));
$this->config->expects($this->once())
->method('getUserValue')
->with('user123', 'core', 'two_factor_auth_disabled', 0)
->willReturn(0);
$this->providerRegistry->expects($this->once())
->method('getProviderStates')
->willReturn([]); // No providers registered
@ -161,13 +154,6 @@ class ManagerTest extends TestCase {
}
public function testIsTwoFactorAuthenticatedOnlyBackupCodes() {
$this->user->expects($this->once())
->method('getUID')
->will($this->returnValue('user123'));
$this->config->expects($this->once())
->method('getUserValue')
->with('user123', 'core', 'two_factor_auth_disabled', 0)
->willReturn(0);
$this->providerRegistry->expects($this->once())
->method('getProviderStates')
->willReturn([
@ -187,13 +173,6 @@ class ManagerTest extends TestCase {
}
public function testIsTwoFactorAuthenticatedFailingProviders() {
$this->user->expects($this->once())
->method('getUID')
->will($this->returnValue('user123'));
$this->config->expects($this->once())
->method('getUserValue')
->with('user123', 'core', 'two_factor_auth_disabled', 0)
->willReturn(0);
$this->providerRegistry->expects($this->once())
->method('getProviderStates')
->willReturn([
@ -225,13 +204,6 @@ class ManagerTest extends TestCase {
* @dataProvider providerStatesFixData
*/
public function testIsTwoFactorAuthenticatedFixesProviderStates(bool $providerEnabled, bool $expected) {
$this->user->expects($this->once())
->method('getUID')
->will($this->returnValue('user123'));
$this->config->expects($this->once())
->method('getUserValue')
->with('user123', 'core', 'two_factor_auth_disabled', 0)
->willReturn(0);
$this->providerRegistry->expects($this->once())
->method('getProviderStates')
->willReturn([]); // Nothing registered yet

View File

@ -0,0 +1,154 @@
<?php
declare(strict_types=1);
/**
* @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace lib\Authentication\TwoFactorAuth;
use OC\Authentication\TwoFactorAuth\ProviderLoader;
use OC\Authentication\TwoFactorAuth\ProviderManager;
use OCP\Authentication\TwoFactorAuth\IActivatableByAdmin;
use OCP\Authentication\TwoFactorAuth\IDeactivatableByAdmin;
use OCP\Authentication\TwoFactorAuth\IProvider;
use OCP\Authentication\TwoFactorAuth\IRegistry;
use OCP\IUser;
use PHPUnit\Framework\MockObject\MockObject;
use Test\TestCase;
class ProviderManagerTest extends TestCase {
/** @var ProviderLoader|MockObject */
private $providerLoader;
/** @var IRegistry|MockObject */
private $registry;
/** @var ProviderManager */
private $providerManager;
protected function setUp() {
parent::setUp();
$this->providerLoader = $this->createMock(ProviderLoader::class);
$this->registry = $this->createMock(IRegistry::class);
$this->providerManager = new ProviderManager(
$this->providerLoader,
$this->registry
);
}
/**
* @expectedException \OC\Authentication\Exceptions\InvalidProviderException
*/
public function testTryEnableInvalidProvider() {
$user = $this->createMock(IUser::class);
$this->providerManager->tryEnableProviderFor('none', $user);
}
public function testTryEnableUnsupportedProvider() {
$user = $this->createMock(IUser::class);
$provider = $this->createMock(IProvider::class);
$this->providerLoader->expects($this->once())
->method('getProviders')
->with($user)
->willReturn([
'u2f' => $provider,
]);
$this->registry->expects($this->never())
->method('enableProviderFor');
$res = $this->providerManager->tryEnableProviderFor('u2f', $user);
$this->assertFalse($res);
}
public function testTryEnableProvider() {
$user = $this->createMock(IUser::class);
$provider = $this->createMock(IActivatableByAdmin::class);
$this->providerLoader->expects($this->once())
->method('getProviders')
->with($user)
->willReturn([
'u2f' => $provider,
]);
$provider->expects($this->once())
->method('enableFor')
->with($user);
$this->registry->expects($this->once())
->method('enableProviderFor')
->with($provider, $user);
$res = $this->providerManager->tryEnableProviderFor('u2f', $user);
$this->assertTrue($res);
}
/**
* @expectedException \OC\Authentication\Exceptions\InvalidProviderException
*/
public function testTryDisableInvalidProvider() {
$user = $this->createMock(IUser::class);
$this->providerManager->tryDisableProviderFor('none', $user);
}
public function testTryDisableUnsupportedProvider() {
$user = $this->createMock(IUser::class);
$provider = $this->createMock(IProvider::class);
$this->providerLoader->expects($this->once())
->method('getProviders')
->with($user)
->willReturn([
'u2f' => $provider,
]);
$this->registry->expects($this->never())
->method('disableProviderFor');
$res = $this->providerManager->tryDisableProviderFor('u2f', $user);
$this->assertFalse($res);
}
public function testTryDisableProvider() {
$user = $this->createMock(IUser::class);
$provider = $this->createMock(IDeactivatableByAdmin::class);
$this->providerLoader->expects($this->once())
->method('getProviders')
->with($user)
->willReturn([
'u2f' => $provider,
]);
$provider->expects($this->once())
->method('disableFor')
->with($user);
$this->registry->expects($this->once())
->method('disableProviderFor')
->with($provider, $user);
$res = $this->providerManager->tryDisableProviderFor('u2f', $user);
$this->assertTrue($res);
}
}

View File

@ -82,4 +82,12 @@ class RegistryTest extends TestCase {
$this->registry->disableProviderFor($provider, $user);
}
public function testCleanUp() {
$this->dao->expects($this->once())
->method('deleteAll')
->with('twofactor_u2f');
$this->registry->cleanUp('twofactor_u2f');
}
}