From 78273cb1e61870782d36e7b045abdfcee0cb647b Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Wed, 3 Oct 2018 11:48:02 +0200 Subject: [PATCH] Add an endppoint for clients to request an app password Now that we allow enforcing 2 factor auth it make sense if we also allow and endpoint where the clients can in the background fetch an apppassword if they were configured before the login flow was present. Signed-off-by: Roeland Jago Douma --- core/Controller/AppPasswordController.php | 108 +++++++++++ core/routes.php | 1 + lib/composer/composer/autoload_classmap.php | 1 + lib/composer/composer/autoload_static.php | 1 + .../Controller/AppPasswordControllerTest.php | 179 ++++++++++++++++++ 5 files changed, 290 insertions(+) create mode 100644 core/Controller/AppPasswordController.php create mode 100644 tests/Core/Controller/AppPasswordControllerTest.php diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php new file mode 100644 index 0000000000..ce06730694 --- /dev/null +++ b/core/Controller/AppPasswordController.php @@ -0,0 +1,108 @@ + + * + * @author Roeland Jago Douma + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OC\Core\Controller; + +use OC\Authentication\Token\IProvider; +use OC\Authentication\Token\IToken; +use OCP\AppFramework\Http\DataResponse; +use OCP\AppFramework\OCS\OCSForbiddenException; +use OCP\Authentication\Exceptions\CredentialsUnavailableException; +use OCP\Authentication\Exceptions\PasswordUnavailableException; +use OCP\Authentication\LoginCredentials\IStore; +use OCP\IRequest; +use OCP\ISession; +use OCP\Security\ISecureRandom; + +class AppPasswordController extends \OCP\AppFramework\OCSController { + + /** @var ISession */ + private $session; + + /** @var ISecureRandom */ + private $random; + + /** @var IProvider */ + private $tokenProvider; + + /** @var IStore */ + private $credentialStore; + + public function __construct(string $appName, + IRequest $request, + ISession $session, + ISecureRandom $random, + IProvider $tokenProvider, + IStore $credentialStore) { + parent::__construct($appName, $request); + + $this->session = $session; + $this->random = $random; + $this->tokenProvider = $tokenProvider; + $this->credentialStore = $credentialStore; + } + + /** + * @NoAdminRequired + * + * @return DataResponse + * @throws OCSForbiddenException + */ + public function getAppPassword(): DataResponse { + // We do not allow the creation of new tokens if this is an app password + if ($this->session->exists('app_password')) { + throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword'); + } + + try { + $credentials = $this->credentialStore->getLoginCredentials(); + } catch (CredentialsUnavailableException $e) { + throw new OCSForbiddenException(); + } + + try { + $password = $credentials->getPassword(); + } catch (PasswordUnavailableException $e) { + $password = null; + } + + $userAgent = $this->request->getHeader('USER_AGENT'); + + $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); + + $this->tokenProvider->generateToken( + $token, + $credentials->getUID(), + $credentials->getLoginName(), + $password, + $userAgent, + IToken::PERMANENT_TOKEN, + IToken::DO_NOT_REMEMBER + ); + + return new DataResponse([ + 'apppassword' => $token + ]); + } +} diff --git a/core/routes.php b/core/routes.php index 4ac51dc236..f3884a765a 100644 --- a/core/routes.php +++ b/core/routes.php @@ -81,6 +81,7 @@ $application->registerRoutes($this, [ ['root' => '/core', 'name' => 'AutoComplete#get', 'url' => '/autocomplete/get', 'verb' => 'GET'], ['root' => '/core', 'name' => 'WhatsNew#get', 'url' => '/whatsnew', 'verb' => 'GET'], ['root' => '/core', 'name' => 'WhatsNew#dismiss', 'url' => '/whatsnew', 'verb' => 'POST'], + ['root' => '/core', 'name' => 'AppPassword#getAppPassword', 'url' => '/getapppassword', 'verb' => 'GET'], ], ]); diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 8e92dc04d3..4e8a523fad 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -595,6 +595,7 @@ return array( 'OC\\Core\\Command\\User\\Report' => $baseDir . '/core/Command/User/Report.php', 'OC\\Core\\Command\\User\\ResetPassword' => $baseDir . '/core/Command/User/ResetPassword.php', 'OC\\Core\\Command\\User\\Setting' => $baseDir . '/core/Command/User/Setting.php', + 'OC\\Core\\Controller\\AppPasswordController' => $baseDir . '/core/Controller/AppPasswordController.php', 'OC\\Core\\Controller\\AutoCompleteController' => $baseDir . '/core/Controller/AutoCompleteController.php', 'OC\\Core\\Controller\\AvatarController' => $baseDir . '/core/Controller/AvatarController.php', 'OC\\Core\\Controller\\CSRFTokenController' => $baseDir . '/core/Controller/CSRFTokenController.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index 841c139a73..34c530aa1e 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -625,6 +625,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\Core\\Command\\User\\Report' => __DIR__ . '/../../..' . '/core/Command/User/Report.php', 'OC\\Core\\Command\\User\\ResetPassword' => __DIR__ . '/../../..' . '/core/Command/User/ResetPassword.php', 'OC\\Core\\Command\\User\\Setting' => __DIR__ . '/../../..' . '/core/Command/User/Setting.php', + 'OC\\Core\\Controller\\AppPasswordController' => __DIR__ . '/../../..' . '/core/Controller/AppPasswordController.php', 'OC\\Core\\Controller\\AutoCompleteController' => __DIR__ . '/../../..' . '/core/Controller/AutoCompleteController.php', 'OC\\Core\\Controller\\AvatarController' => __DIR__ . '/../../..' . '/core/Controller/AvatarController.php', 'OC\\Core\\Controller\\CSRFTokenController' => __DIR__ . '/../../..' . '/core/Controller/CSRFTokenController.php', diff --git a/tests/Core/Controller/AppPasswordControllerTest.php b/tests/Core/Controller/AppPasswordControllerTest.php new file mode 100644 index 0000000000..f0c223ccc1 --- /dev/null +++ b/tests/Core/Controller/AppPasswordControllerTest.php @@ -0,0 +1,179 @@ + + * + * @author Roeland Jago Douma + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace Tests\Core\Controller; + +use OC\Authentication\Token\IProvider; +use OC\Authentication\Token\IToken; +use OC\Core\Controller\AppPasswordController; +use OCP\AppFramework\OCS\OCSForbiddenException; +use OCP\Authentication\Exceptions\CredentialsUnavailableException; +use OCP\Authentication\Exceptions\PasswordUnavailableException; +use OCP\Authentication\LoginCredentials\ICredentials; +use OCP\Authentication\LoginCredentials\IStore; +use OCP\IRequest; +use OCP\ISession; +use OCP\Security\ISecureRandom; +use PHPUnit\Framework\MockObject\MockObject; +use Test\TestCase; + +class AppPasswordControllerTest extends TestCase { + + /** @var ISession|MockObject */ + private $session; + + /** @var ISecureRandom|MockObject */ + private $random; + + /** @var IProvider|MockObject */ + private $tokenProvider; + + /** @var IStore|MockObject */ + private $credentialStore; + + /** @var IRequest|MockObject */ + private $request; + + /** @var AppPasswordController */ + private $controller; + + public function setUp() { + parent::setUp(); + + $this->session = $this->createMock(ISession::class); + $this->random = $this->createMock(ISecureRandom::class); + $this->tokenProvider = $this->createMock(IProvider::class); + $this->credentialStore = $this->createMock(IStore::class); + $this->request = $this->createMock(IRequest::class); + + $this->controller = new AppPasswordController( + 'core', + $this->request, + $this->session, + $this->random, + $this->tokenProvider, + $this->credentialStore + ); + } + + public function testGetAppPasswordWithAppPassword() { + $this->session->method('exists') + ->with('app_password') + ->willReturn(true); + + $this->expectException(OCSForbiddenException::class); + + $this->controller->getAppPassword(); + } + + public function testGetAppPasswordNoLoginCreds() { + $this->session->method('exists') + ->with('app_password') + ->willReturn(false); + $this->credentialStore->method('getLoginCredentials') + ->willThrowException(new CredentialsUnavailableException()); + + $this->expectException(OCSForbiddenException::class); + + $this->controller->getAppPassword(); + } + + public function testGetAppPassword() { + $credentials = $this->createMock(ICredentials::class); + + $this->session->method('exists') + ->with('app_password') + ->willReturn(false); + $this->credentialStore->method('getLoginCredentials') + ->willReturn($credentials); + $credentials->method('getUid') + ->willReturn('myUID'); + $credentials->method('getPassword') + ->willReturn('myPassword'); + $credentials->method('getLoginName') + ->willReturn('myLoginName'); + $this->request->method('getHeader') + ->with('USER_AGENT') + ->willReturn('myUA'); + $this->random->method('generate') + ->with( + 72, + ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS + )->willReturn('myToken'); + + $this->tokenProvider->expects($this->once()) + ->method('generateToken') + ->with( + 'myToken', + 'myUID', + 'myLoginName', + 'myPassword', + 'myUA', + IToken::PERMANENT_TOKEN, + IToken::DO_NOT_REMEMBER + ); + + $this->controller->getAppPassword(); + } + + public function testGetAppPasswordNoPassword() { + $credentials = $this->createMock(ICredentials::class); + + $this->session->method('exists') + ->with('app_password') + ->willReturn(false); + $this->credentialStore->method('getLoginCredentials') + ->willReturn($credentials); + $credentials->method('getUid') + ->willReturn('myUID'); + $credentials->method('getPassword') + ->willThrowException(new PasswordUnavailableException()); + $credentials->method('getLoginName') + ->willReturn('myLoginName'); + $this->request->method('getHeader') + ->with('USER_AGENT') + ->willReturn('myUA'); + $this->random->method('generate') + ->with( + 72, + ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS + )->willReturn('myToken'); + + $this->tokenProvider->expects($this->once()) + ->method('generateToken') + ->with( + 'myToken', + 'myUID', + 'myLoginName', + null, + 'myUA', + IToken::PERMANENT_TOKEN, + IToken::DO_NOT_REMEMBER + ); + + $this->controller->getAppPassword(); + } + + +}