Merge pull request #2505 from nextcloud/sudo-mode-provisioning-api
Require sudo mode on the provisioning API
This commit is contained in:
commit
aac3024878
|
@ -25,12 +25,10 @@
|
|||
|
||||
namespace OCA\Provisioning_API\Controller;
|
||||
|
||||
use OC\OCSClient;
|
||||
use \OC_App;
|
||||
use OCP\App\IAppManager;
|
||||
use OCP\AppFramework\Http\DataResponse;
|
||||
use OCP\AppFramework\OCS\OCSException;
|
||||
use OCP\AppFramework\OCS\OCSNotFoundException;
|
||||
use OCP\AppFramework\OCSController;
|
||||
use OCP\IRequest;
|
||||
|
||||
|
@ -86,7 +84,7 @@ class AppsController extends OCSController {
|
|||
/**
|
||||
* @param string $app
|
||||
* @return DataResponse
|
||||
* @throws OCSNotFoundException
|
||||
* @throws OCSException
|
||||
*/
|
||||
public function getAppInfo($app) {
|
||||
$info = \OCP\App::getAppInfo($app);
|
||||
|
@ -98,6 +96,7 @@ class AppsController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @param string $app
|
||||
* @return DataResponse
|
||||
*/
|
||||
|
@ -107,6 +106,7 @@ class AppsController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @param string $app
|
||||
* @return DataResponse
|
||||
*/
|
||||
|
|
|
@ -128,7 +128,7 @@ class GroupsController extends OCSController {
|
|||
/**
|
||||
* creates a new group
|
||||
*
|
||||
* @NoAdminRequired
|
||||
* @PasswordConfirmationRequired
|
||||
*
|
||||
* @param string $groupid
|
||||
* @return DataResponse
|
||||
|
@ -149,6 +149,8 @@ class GroupsController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
*
|
||||
* @param string $groupId
|
||||
* @return DataResponse
|
||||
* @throws OCSException
|
||||
|
|
|
@ -93,6 +93,7 @@ class UsersController extends OCSController {
|
|||
*/
|
||||
public function getUsers($search = '', $limit = null, $offset = null) {
|
||||
$user = $this->userSession->getUser();
|
||||
$users = [];
|
||||
|
||||
// Admin? Or SubAdmin?
|
||||
$uid = $user->getUID();
|
||||
|
@ -125,6 +126,7 @@ class UsersController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @NoAdminRequired
|
||||
*
|
||||
* @param string $userid
|
||||
|
@ -218,6 +220,7 @@ class UsersController extends OCSController {
|
|||
/**
|
||||
* @NoAdminRequired
|
||||
* @NoSubAdminRequired
|
||||
* @PasswordConfirmationRequired
|
||||
*
|
||||
* edit users
|
||||
*
|
||||
|
@ -308,6 +311,7 @@ class UsersController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @NoAdminRequired
|
||||
*
|
||||
* @param string $userId
|
||||
|
@ -339,20 +343,26 @@ class UsersController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @NoAdminRequired
|
||||
*
|
||||
* @param string $userId
|
||||
* @return DataResponse
|
||||
* @throws OCSException
|
||||
* @throws OCSForbiddenException
|
||||
*/
|
||||
public function disableUser($userId) {
|
||||
return $this->setEnabled($userId, false);
|
||||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @NoAdminRequired
|
||||
*
|
||||
* @param string $userId
|
||||
* @return DataResponse
|
||||
* @throws OCSException
|
||||
* @throws OCSForbiddenException
|
||||
*/
|
||||
public function enableUser($userId) {
|
||||
return $this->setEnabled($userId, true);
|
||||
|
@ -390,8 +400,7 @@ class UsersController extends OCSController {
|
|||
*
|
||||
* @param string $userId
|
||||
* @return DataResponse
|
||||
* @throws OCSForbiddenException
|
||||
* @throws OCSNotFoundException
|
||||
* @throws OCSException
|
||||
*/
|
||||
public function getUsersGroups($userId) {
|
||||
$loggedInUser = $this->userSession->getUser();
|
||||
|
@ -430,6 +439,7 @@ class UsersController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @param string $userId
|
||||
* @param string $groupid
|
||||
* @return DataResponse
|
||||
|
@ -455,9 +465,10 @@ class UsersController extends OCSController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PasswordConfirmationRequired
|
||||
* @NoAdminRequired
|
||||
*
|
||||
* @param string userId
|
||||
* @param string $userId
|
||||
* @param string $groupid
|
||||
* @return DataResponse
|
||||
* @throws OCSException
|
||||
|
@ -511,6 +522,8 @@ class UsersController extends OCSController {
|
|||
/**
|
||||
* Creates a subadmin
|
||||
*
|
||||
* @PasswordConfirmationRequired
|
||||
*
|
||||
* @param string $userId
|
||||
* @param string $groupid
|
||||
* @return DataResponse
|
||||
|
@ -550,6 +563,8 @@ class UsersController extends OCSController {
|
|||
/**
|
||||
* Removes a subadmin from a group
|
||||
*
|
||||
* @PasswordConfirmationRequired
|
||||
*
|
||||
* @param string $userId
|
||||
* @param string $groupid
|
||||
* @return DataResponse
|
||||
|
|
|
@ -423,6 +423,7 @@ class Session implements IUserSession, Emitter {
|
|||
*
|
||||
* @todo do not allow basic auth if the user is 2FA enforced
|
||||
* @param IRequest $request
|
||||
* @param OC\Security\Bruteforce\Throttler $throttler
|
||||
* @return boolean if the login was successful
|
||||
*/
|
||||
public function tryBasicAuthLogin(IRequest $request,
|
||||
|
@ -440,6 +441,10 @@ class Session implements IUserSession, Emitter {
|
|||
$this->session->set(
|
||||
Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
|
||||
);
|
||||
|
||||
// Set the last-password-confirm session to make the sudo mode work
|
||||
$this->session->set('last-password-confirm', $this->timeFacory->getTime());
|
||||
|
||||
return true;
|
||||
}
|
||||
} catch (PasswordLoginForbiddenException $ex) {
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
|
||||
namespace Test\User;
|
||||
|
||||
use OC\AppFramework\Http\Request;
|
||||
use OC\Authentication\Token\DefaultTokenMapper;
|
||||
use OC\Authentication\Token\DefaultTokenProvider;
|
||||
use OC\Authentication\Token\IProvider;
|
||||
|
@ -17,6 +18,7 @@ use OC\Session\Memory;
|
|||
use OC\User\Manager;
|
||||
use OC\User\Session;
|
||||
use OC\User\User;
|
||||
use OCA\DAV\Connector\Sabre\Auth;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\ILogger;
|
||||
|
@ -1219,4 +1221,103 @@ class SessionTest extends \Test\TestCase {
|
|||
|
||||
$this->userSession->createRememberMeToken($user);
|
||||
}
|
||||
|
||||
public function testTryBasicAuthLoginValid() {
|
||||
$request = $this->createMock(Request::class);
|
||||
$request->method('__get')
|
||||
->willReturn([
|
||||
'PHP_AUTH_USER' => 'username',
|
||||
'PHP_AUTH_PW' => 'password',
|
||||
]);
|
||||
$request->method('__isset')
|
||||
->with('server')
|
||||
->willReturn(true);
|
||||
|
||||
$davAuthenticatedSet = false;
|
||||
$lastPasswordConfirmSet = false;
|
||||
|
||||
$this->session
|
||||
->method('set')
|
||||
->will($this->returnCallback(function($k, $v) use (&$davAuthenticatedSet, &$lastPasswordConfirmSet) {
|
||||
switch ($k) {
|
||||
case Auth::DAV_AUTHENTICATED:
|
||||
$davAuthenticatedSet = $v;
|
||||
return;
|
||||
case 'last-password-confirm':
|
||||
$lastPasswordConfirmSet = 1000;
|
||||
return;
|
||||
default:
|
||||
throw new \Exception();
|
||||
}
|
||||
}));
|
||||
|
||||
$userSession = $this->getMockBuilder(Session::class)
|
||||
->setConstructorArgs([
|
||||
$this->manager,
|
||||
$this->session,
|
||||
$this->timeFactory,
|
||||
$this->tokenProvider,
|
||||
$this->config,
|
||||
$this->random,
|
||||
])
|
||||
->setMethods([
|
||||
'logClientIn',
|
||||
'getUser',
|
||||
])
|
||||
->getMock();
|
||||
|
||||
/** @var Session|\PHPUnit_Framework_MockObject_MockObject */
|
||||
$userSession->expects($this->once())
|
||||
->method('logClientIn')
|
||||
->with(
|
||||
$this->equalTo('username'),
|
||||
$this->equalTo('password'),
|
||||
$this->equalTo($request),
|
||||
$this->equalTo($this->throttler)
|
||||
)->willReturn(true);
|
||||
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->method('getUID')->willReturn('username');
|
||||
|
||||
$userSession->expects($this->once())
|
||||
->method('getUser')
|
||||
->willReturn($user);
|
||||
|
||||
$this->assertTrue($userSession->tryBasicAuthLogin($request, $this->throttler));
|
||||
|
||||
$this->assertSame('username', $davAuthenticatedSet);
|
||||
$this->assertSame(1000, $lastPasswordConfirmSet);
|
||||
}
|
||||
|
||||
public function testTryBasicAuthLoginNoLogin() {
|
||||
$request = $this->createMock(Request::class);
|
||||
$request->method('__get')
|
||||
->willReturn([]);
|
||||
$request->method('__isset')
|
||||
->with('server')
|
||||
->willReturn(true);
|
||||
|
||||
$this->session->expects($this->never())
|
||||
->method($this->anything());
|
||||
|
||||
$userSession = $this->getMockBuilder(Session::class)
|
||||
->setConstructorArgs([
|
||||
$this->manager,
|
||||
$this->session,
|
||||
$this->timeFactory,
|
||||
$this->tokenProvider,
|
||||
$this->config,
|
||||
$this->random,
|
||||
])
|
||||
->setMethods([
|
||||
'logClientIn',
|
||||
])
|
||||
->getMock();
|
||||
|
||||
/** @var Session|\PHPUnit_Framework_MockObject_MockObject */
|
||||
$userSession->expects($this->never())
|
||||
->method('logClientIn');
|
||||
|
||||
$this->assertFalse($userSession->tryBasicAuthLogin($request, $this->throttler));
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue