Merge pull request #2505 from nextcloud/sudo-mode-provisioning-api

Require sudo mode on the provisioning API
This commit is contained in:
Morris Jobke 2016-12-05 22:29:29 +01:00 committed by GitHub
commit aac3024878
5 changed files with 130 additions and 7 deletions

View File

@ -25,12 +25,10 @@
namespace OCA\Provisioning_API\Controller;
use OC\OCSClient;
use \OC_App;
use OCP\App\IAppManager;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\OCS\OCSException;
use OCP\AppFramework\OCS\OCSNotFoundException;
use OCP\AppFramework\OCSController;
use OCP\IRequest;
@ -86,7 +84,7 @@ class AppsController extends OCSController {
/**
* @param string $app
* @return DataResponse
* @throws OCSNotFoundException
* @throws OCSException
*/
public function getAppInfo($app) {
$info = \OCP\App::getAppInfo($app);
@ -98,6 +96,7 @@ class AppsController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @param string $app
* @return DataResponse
*/
@ -107,6 +106,7 @@ class AppsController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @param string $app
* @return DataResponse
*/

View File

@ -128,7 +128,7 @@ class GroupsController extends OCSController {
/**
* creates a new group
*
* @NoAdminRequired
* @PasswordConfirmationRequired
*
* @param string $groupid
* @return DataResponse
@ -149,6 +149,8 @@ class GroupsController extends OCSController {
}
/**
* @PasswordConfirmationRequired
*
* @param string $groupId
* @return DataResponse
* @throws OCSException

View File

@ -93,6 +93,7 @@ class UsersController extends OCSController {
*/
public function getUsers($search = '', $limit = null, $offset = null) {
$user = $this->userSession->getUser();
$users = [];
// Admin? Or SubAdmin?
$uid = $user->getUID();
@ -125,6 +126,7 @@ class UsersController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @NoAdminRequired
*
* @param string $userid
@ -218,6 +220,7 @@ class UsersController extends OCSController {
/**
* @NoAdminRequired
* @NoSubAdminRequired
* @PasswordConfirmationRequired
*
* edit users
*
@ -308,6 +311,7 @@ class UsersController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @NoAdminRequired
*
* @param string $userId
@ -339,20 +343,26 @@ class UsersController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @NoAdminRequired
*
* @param string $userId
* @return DataResponse
* @throws OCSException
* @throws OCSForbiddenException
*/
public function disableUser($userId) {
return $this->setEnabled($userId, false);
}
/**
* @PasswordConfirmationRequired
* @NoAdminRequired
*
* @param string $userId
* @return DataResponse
* @throws OCSException
* @throws OCSForbiddenException
*/
public function enableUser($userId) {
return $this->setEnabled($userId, true);
@ -390,8 +400,7 @@ class UsersController extends OCSController {
*
* @param string $userId
* @return DataResponse
* @throws OCSForbiddenException
* @throws OCSNotFoundException
* @throws OCSException
*/
public function getUsersGroups($userId) {
$loggedInUser = $this->userSession->getUser();
@ -430,6 +439,7 @@ class UsersController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @param string $userId
* @param string $groupid
* @return DataResponse
@ -455,9 +465,10 @@ class UsersController extends OCSController {
}
/**
* @PasswordConfirmationRequired
* @NoAdminRequired
*
* @param string userId
* @param string $userId
* @param string $groupid
* @return DataResponse
* @throws OCSException
@ -511,6 +522,8 @@ class UsersController extends OCSController {
/**
* Creates a subadmin
*
* @PasswordConfirmationRequired
*
* @param string $userId
* @param string $groupid
* @return DataResponse
@ -550,6 +563,8 @@ class UsersController extends OCSController {
/**
* Removes a subadmin from a group
*
* @PasswordConfirmationRequired
*
* @param string $userId
* @param string $groupid
* @return DataResponse

View File

@ -423,6 +423,7 @@ class Session implements IUserSession, Emitter {
*
* @todo do not allow basic auth if the user is 2FA enforced
* @param IRequest $request
* @param OC\Security\Bruteforce\Throttler $throttler
* @return boolean if the login was successful
*/
public function tryBasicAuthLogin(IRequest $request,
@ -440,6 +441,10 @@ class Session implements IUserSession, Emitter {
$this->session->set(
Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
);
// Set the last-password-confirm session to make the sudo mode work
$this->session->set('last-password-confirm', $this->timeFacory->getTime());
return true;
}
} catch (PasswordLoginForbiddenException $ex) {

View File

@ -8,6 +8,7 @@
namespace Test\User;
use OC\AppFramework\Http\Request;
use OC\Authentication\Token\DefaultTokenMapper;
use OC\Authentication\Token\DefaultTokenProvider;
use OC\Authentication\Token\IProvider;
@ -17,6 +18,7 @@ use OC\Session\Memory;
use OC\User\Manager;
use OC\User\Session;
use OC\User\User;
use OCA\DAV\Connector\Sabre\Auth;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\ILogger;
@ -1219,4 +1221,103 @@ class SessionTest extends \Test\TestCase {
$this->userSession->createRememberMeToken($user);
}
public function testTryBasicAuthLoginValid() {
$request = $this->createMock(Request::class);
$request->method('__get')
->willReturn([
'PHP_AUTH_USER' => 'username',
'PHP_AUTH_PW' => 'password',
]);
$request->method('__isset')
->with('server')
->willReturn(true);
$davAuthenticatedSet = false;
$lastPasswordConfirmSet = false;
$this->session
->method('set')
->will($this->returnCallback(function($k, $v) use (&$davAuthenticatedSet, &$lastPasswordConfirmSet) {
switch ($k) {
case Auth::DAV_AUTHENTICATED:
$davAuthenticatedSet = $v;
return;
case 'last-password-confirm':
$lastPasswordConfirmSet = 1000;
return;
default:
throw new \Exception();
}
}));
$userSession = $this->getMockBuilder(Session::class)
->setConstructorArgs([
$this->manager,
$this->session,
$this->timeFactory,
$this->tokenProvider,
$this->config,
$this->random,
])
->setMethods([
'logClientIn',
'getUser',
])
->getMock();
/** @var Session|\PHPUnit_Framework_MockObject_MockObject */
$userSession->expects($this->once())
->method('logClientIn')
->with(
$this->equalTo('username'),
$this->equalTo('password'),
$this->equalTo($request),
$this->equalTo($this->throttler)
)->willReturn(true);
$user = $this->createMock(IUser::class);
$user->method('getUID')->willReturn('username');
$userSession->expects($this->once())
->method('getUser')
->willReturn($user);
$this->assertTrue($userSession->tryBasicAuthLogin($request, $this->throttler));
$this->assertSame('username', $davAuthenticatedSet);
$this->assertSame(1000, $lastPasswordConfirmSet);
}
public function testTryBasicAuthLoginNoLogin() {
$request = $this->createMock(Request::class);
$request->method('__get')
->willReturn([]);
$request->method('__isset')
->with('server')
->willReturn(true);
$this->session->expects($this->never())
->method($this->anything());
$userSession = $this->getMockBuilder(Session::class)
->setConstructorArgs([
$this->manager,
$this->session,
$this->timeFactory,
$this->tokenProvider,
$this->config,
$this->random,
])
->setMethods([
'logClientIn',
])
->getMock();
/** @var Session|\PHPUnit_Framework_MockObject_MockObject */
$userSession->expects($this->never())
->method('logClientIn');
$this->assertFalse($userSession->tryBasicAuthLogin($request, $this->throttler));
}
}