Merge pull request #1031 from nextcloud/2fa-infinite-redirect-loop
prevent infinite redirect loops if the there is no 2fa provider to pass
This commit is contained in:
Joas Schilling
GitHub
commit
89c78bbce4
|
|
@ -224,7 +224,7 @@ class Auth extends AbstractBasic {
|
||||||
if($forcedLogout) {
|
if($forcedLogout) {
|
||||||
$this->userSession->logout();
|
$this->userSession->logout();
|
||||||
} else {
|
} else {
|
||||||
if ($this->twoFactorManager->needsSecondFactor()) {
|
if($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
|
||||||
throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
|
throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
|
||||||
}
|
}
|
||||||
if (\OC_User::handleApacheAuth() ||
|
if (\OC_User::handleApacheAuth() ||
|
||||||
|
|
|
||||||
|
|
@ -374,6 +374,7 @@ class AuthTest extends TestCase {
|
||||||
->willReturn(true);
|
->willReturn(true);
|
||||||
$this->twoFactorManager->expects($this->once())
|
$this->twoFactorManager->expects($this->once())
|
||||||
->method('needsSecondFactor')
|
->method('needsSecondFactor')
|
||||||
|
->with($user)
|
||||||
->will($this->returnValue(true));
|
->will($this->returnValue(true));
|
||||||
$this->auth->check($request, $response);
|
$this->auth->check($request, $response);
|
||||||
}
|
}
|
||||||
|
|
@ -658,7 +659,7 @@ class AuthTest extends TestCase {
|
||||||
->method('getUID')
|
->method('getUID')
|
||||||
->will($this->returnValue('MyTestUser'));
|
->will($this->returnValue('MyTestUser'));
|
||||||
$this->userSession
|
$this->userSession
|
||||||
->expects($this->exactly(3))
|
->expects($this->exactly(4))
|
||||||
->method('getUser')
|
->method('getUser')
|
||||||
->will($this->returnValue($user));
|
->will($this->returnValue($user));
|
||||||
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
|
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ use Exception;
|
||||||
use OC\Authentication\Exceptions\TwoFactorAuthRequiredException;
|
use OC\Authentication\Exceptions\TwoFactorAuthRequiredException;
|
||||||
use OC\Authentication\Exceptions\UserAlreadyLoggedInException;
|
use OC\Authentication\Exceptions\UserAlreadyLoggedInException;
|
||||||
use OC\Authentication\TwoFactorAuth\Manager;
|
use OC\Authentication\TwoFactorAuth\Manager;
|
||||||
|
use OC\Core\Controller\LoginController;
|
||||||
use OC\Core\Controller\TwoFactorChallengeController;
|
use OC\Core\Controller\TwoFactorChallengeController;
|
||||||
use OC\User\Session;
|
use OC\User\Session;
|
||||||
use OCP\AppFramework\Controller;
|
use OCP\AppFramework\Controller;
|
||||||
|
|
@ -36,6 +37,7 @@ use OCP\AppFramework\Utility\IControllerMethodReflector;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\ISession;
|
use OCP\ISession;
|
||||||
use OCP\IURLGenerator;
|
use OCP\IURLGenerator;
|
||||||
|
use OCP\IUser;
|
||||||
|
|
||||||
class TwoFactorMiddleware extends Middleware {
|
class TwoFactorMiddleware extends Middleware {
|
||||||
|
|
||||||
|
|
@ -83,7 +85,7 @@ class TwoFactorMiddleware extends Middleware {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($controller instanceof \OC\Core\Controller\LoginController && $methodName === 'logout') {
|
if ($controller instanceof LoginController && $methodName === 'logout') {
|
||||||
// Don't block the logout page, to allow canceling the 2FA
|
// Don't block the logout page, to allow canceling the 2FA
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
@ -92,7 +94,7 @@ class TwoFactorMiddleware extends Middleware {
|
||||||
$user = $this->userSession->getUser();
|
$user = $this->userSession->getUser();
|
||||||
|
|
||||||
if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) {
|
if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) {
|
||||||
$this->checkTwoFactor($controller, $methodName);
|
$this->checkTwoFactor($controller, $methodName, $user);
|
||||||
} else if ($controller instanceof TwoFactorChallengeController) {
|
} else if ($controller instanceof TwoFactorChallengeController) {
|
||||||
// Allow access to the two-factor controllers only if two-factor authentication
|
// Allow access to the two-factor controllers only if two-factor authentication
|
||||||
// is in progress.
|
// is in progress.
|
||||||
|
|
@ -102,10 +104,10 @@ class TwoFactorMiddleware extends Middleware {
|
||||||
// TODO: dont check/enforce 2FA if a auth token is used
|
// TODO: dont check/enforce 2FA if a auth token is used
|
||||||
}
|
}
|
||||||
|
|
||||||
private function checkTwoFactor($controller, $methodName) {
|
private function checkTwoFactor($controller, $methodName, IUser $user) {
|
||||||
// If two-factor auth is in progress disallow access to any controllers
|
// If two-factor auth is in progress disallow access to any controllers
|
||||||
// defined within "LoginController".
|
// defined within "LoginController".
|
||||||
$needsSecondFactor = $this->twoFactorManager->needsSecondFactor();
|
$needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user);
|
||||||
$twoFactor = $controller instanceof TwoFactorChallengeController;
|
$twoFactor = $controller instanceof TwoFactorChallengeController;
|
||||||
|
|
||||||
// Disallow access to any controller if 2FA needs to be checked
|
// Disallow access to any controller if 2FA needs to be checked
|
||||||
|
|
|
||||||
|
|
@ -165,10 +165,24 @@ class Manager {
|
||||||
/**
|
/**
|
||||||
* Check if the currently logged in user needs to pass 2FA
|
* Check if the currently logged in user needs to pass 2FA
|
||||||
*
|
*
|
||||||
|
* @param IUser $user the currently logged in user
|
||||||
* @return boolean
|
* @return boolean
|
||||||
*/
|
*/
|
||||||
public function needsSecondFactor() {
|
public function needsSecondFactor(IUser $user = null) {
|
||||||
return $this->session->exists(self::SESSION_UID_KEY);
|
if (is_null($user) || !$this->session->exists(self::SESSION_UID_KEY)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$this->isTwoFactorAuthenticated($user)) {
|
||||||
|
// There is no second factor any more -> let the user pass
|
||||||
|
// This prevents infinite redirect loops when a user is about
|
||||||
|
// to solve the 2FA challenge, and the provider app is
|
||||||
|
// disabled the same time
|
||||||
|
$this->session->remove(self::SESSION_UID_KEY);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -311,7 +311,7 @@ class OC_API {
|
||||||
// reuse existing login
|
// reuse existing login
|
||||||
$loggedIn = \OC::$server->getUserSession()->isLoggedIn();
|
$loggedIn = \OC::$server->getUserSession()->isLoggedIn();
|
||||||
if ($loggedIn === true) {
|
if ($loggedIn === true) {
|
||||||
if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor()) {
|
if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor(\OC::$server->getUserSession()->getUser())) {
|
||||||
// Do not allow access to OCS until the 2FA challenge was solved successfully
|
// Do not allow access to OCS until the 2FA challenge was solved successfully
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ class OC_JSON{
|
||||||
public static function checkLoggedIn() {
|
public static function checkLoggedIn() {
|
||||||
$twoFactorAuthManger = \OC::$server->getTwoFactorAuthManager();
|
$twoFactorAuthManger = \OC::$server->getTwoFactorAuthManager();
|
||||||
if( !OC_User::isLoggedIn()
|
if( !OC_User::isLoggedIn()
|
||||||
|| $twoFactorAuthManger->needsSecondFactor()) {
|
|| $twoFactorAuthManger->needsSecondFactor(\OC::$server->getUserSession()->getUser())) {
|
||||||
$l = \OC::$server->getL10N('lib');
|
$l = \OC::$server->getL10N('lib');
|
||||||
http_response_code(\OCP\AppFramework\Http::STATUS_UNAUTHORIZED);
|
http_response_code(\OCP\AppFramework\Http::STATUS_UNAUTHORIZED);
|
||||||
self::error(array( 'data' => array( 'message' => $l->t('Authentication error'), 'error' => 'authentication_error' )));
|
self::error(array( 'data' => array( 'message' => $l->t('Authentication error'), 'error' => 'authentication_error' )));
|
||||||
|
|
|
||||||
|
|
@ -975,7 +975,7 @@ class OC_Util {
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
// Redirect to index page if 2FA challenge was not solved yet
|
// Redirect to index page if 2FA challenge was not solved yet
|
||||||
if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor()) {
|
if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor(\OC::$server->getUserSession()->getUser())) {
|
||||||
header('Location: ' . \OCP\Util::linkToAbsolute('', 'index.php'));
|
header('Location: ' . \OCP\Util::linkToAbsolute('', 'index.php'));
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -132,6 +132,7 @@ class TwoFactorMiddlewareTest extends TestCase {
|
||||||
->will($this->returnValue(true));
|
->will($this->returnValue(true));
|
||||||
$this->twoFactorManager->expects($this->once())
|
$this->twoFactorManager->expects($this->once())
|
||||||
->method('needsSecondFactor')
|
->method('needsSecondFactor')
|
||||||
|
->with($user)
|
||||||
->will($this->returnValue(true));
|
->will($this->returnValue(true));
|
||||||
|
|
||||||
$this->middleware->beforeController(null, 'index');
|
$this->middleware->beforeController(null, 'index');
|
||||||
|
|
@ -159,6 +160,7 @@ class TwoFactorMiddlewareTest extends TestCase {
|
||||||
->will($this->returnValue(true));
|
->will($this->returnValue(true));
|
||||||
$this->twoFactorManager->expects($this->once())
|
$this->twoFactorManager->expects($this->once())
|
||||||
->method('needsSecondFactor')
|
->method('needsSecondFactor')
|
||||||
|
->with($user)
|
||||||
->will($this->returnValue(false));
|
->will($this->returnValue(false));
|
||||||
|
|
||||||
$twoFactorChallengeController = $this->getMockBuilder('\OC\Core\Controller\TwoFactorChallengeController')
|
$twoFactorChallengeController = $this->getMockBuilder('\OC\Core\Controller\TwoFactorChallengeController')
|
||||||
|
|
|
||||||
|
|
@ -72,6 +72,19 @@ class ManagerTest extends TestCase {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function prepareNoProviders() {
|
||||||
|
$this->appManager->expects($this->any())
|
||||||
|
->method('getEnabledAppsForUser')
|
||||||
|
->with($this->user)
|
||||||
|
->will($this->returnValue([]));
|
||||||
|
|
||||||
|
$this->appManager->expects($this->never())
|
||||||
|
->method('getAppInfo');
|
||||||
|
|
||||||
|
$this->manager->expects($this->never())
|
||||||
|
->method('loadTwoFactorApp');
|
||||||
|
}
|
||||||
|
|
||||||
private function prepareProviders() {
|
private function prepareProviders() {
|
||||||
$this->appManager->expects($this->any())
|
$this->appManager->expects($this->any())
|
||||||
->method('getEnabledAppsForUser')
|
->method('getEnabledAppsForUser')
|
||||||
|
|
@ -164,7 +177,7 @@ class ManagerTest extends TestCase {
|
||||||
->method('remove')
|
->method('remove')
|
||||||
->with('two_factor_auth_uid');
|
->with('two_factor_auth_uid');
|
||||||
|
|
||||||
$this->assertEquals(true, $this->manager->verifyChallenge('email', $this->user, $challenge));
|
$this->assertTrue($this->manager->verifyChallenge('email', $this->user, $challenge));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testVerifyChallengeInvalidProviderId() {
|
public function testVerifyChallengeInvalidProviderId() {
|
||||||
|
|
@ -177,7 +190,7 @@ class ManagerTest extends TestCase {
|
||||||
$this->session->expects($this->never())
|
$this->session->expects($this->never())
|
||||||
->method('remove');
|
->method('remove');
|
||||||
|
|
||||||
$this->assertEquals(false, $this->manager->verifyChallenge('dontexist', $this->user, $challenge));
|
$this->assertFalse($this->manager->verifyChallenge('dontexist', $this->user, $challenge));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testVerifyInvalidChallenge() {
|
public function testVerifyInvalidChallenge() {
|
||||||
|
|
@ -191,16 +204,40 @@ class ManagerTest extends TestCase {
|
||||||
$this->session->expects($this->never())
|
$this->session->expects($this->never())
|
||||||
->method('remove');
|
->method('remove');
|
||||||
|
|
||||||
$this->assertEquals(false, $this->manager->verifyChallenge('email', $this->user, $challenge));
|
$this->assertFalse($this->manager->verifyChallenge('email', $this->user, $challenge));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testNeedsSecondFactor() {
|
public function testNeedsSecondFactor() {
|
||||||
|
$user = $this->getMock('\OCP\IUser');
|
||||||
$this->session->expects($this->once())
|
$this->session->expects($this->once())
|
||||||
->method('exists')
|
->method('exists')
|
||||||
->with('two_factor_auth_uid')
|
->with('two_factor_auth_uid')
|
||||||
->will($this->returnValue(false));
|
->will($this->returnValue(false));
|
||||||
|
|
||||||
$this->assertEquals(false, $this->manager->needsSecondFactor());
|
$this->assertFalse($this->manager->needsSecondFactor($user));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testNeedsSecondFactorUserIsNull() {
|
||||||
|
$user = null;
|
||||||
|
$this->session->expects($this->never())
|
||||||
|
->method('exists');
|
||||||
|
|
||||||
|
$this->assertFalse($this->manager->needsSecondFactor($user));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testNeedsSecondFactorWithNoProviderAvailableAnymore() {
|
||||||
|
$this->prepareNoProviders();
|
||||||
|
|
||||||
|
$user = null;
|
||||||
|
$this->session->expects($this->never())
|
||||||
|
->method('exists')
|
||||||
|
->with('two_factor_auth_uid')
|
||||||
|
->will($this->returnValue(true));
|
||||||
|
$this->session->expects($this->never())
|
||||||
|
->method('remove')
|
||||||
|
->with('two_factor_auth_uid');
|
||||||
|
|
||||||
|
$this->assertFalse($this->manager->needsSecondFactor($user));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testPrepareTwoFactorLogin() {
|
public function testPrepareTwoFactorLogin() {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue