Commit Graph

51 Commits

Author SHA1 Message Date
Roeland Jago Douma b8c5008acf
Add feature policy header
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma 37a4282c7a
Split up security middleware
With upcoming work for the feature policy header. Splitting this in
smaller classes that just do 1 thing makes sense.

I rather have a few small classes that are tiny and do 1 thing right
(and we all understand what is going on) than have big ones.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 16:11:45 +02:00
Christoph Wurst 22ae682823
Make it possible to show admin settings for sub admins
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-23 20:31:40 +02:00
Roeland Jago Douma 60e5a5eca4
Do not do redirect handling when loggin out
Fixes #12568
Since the clearing of the execution context causes another reload. We
should not do the redirect_uri handling as this results in redirecting
back to the logout page on login.

This adds a simple middleware that will just check if the
ClearExecutionContext session variable is set. If that is the case it
will just redirect back to the login page.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:29:32 +01:00
Roeland Jago Douma 603b672a11
Update password confirmation middleware
If the userbackend doesn't allow validating the password for a given uid
then there is no need to perform this check.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 13:44:45 +01:00
Bjoern Schiessle 85d9f06cb8
add global site selector as user back-end which doesn't support password confirmation
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-27 15:43:51 +02:00
Roeland Jago Douma 8c1e75e052
Do not use file as template parameter
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-09 16:45:25 +02:00
Arthur Schiwon 38a90130ce
move log constants to ILogger
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-04-26 10:45:52 +02:00
Roeland Jago Douma 3ad7daeda5
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 11:05:18 +01:00
Roeland Jago Douma 340e8ef16c
Make SecurityMiddleware strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 10:11:47 +01:00
Julien Veyssier 7da0812186 Do not throw AppNotEnabledException for app public pages - refs #6962, refs #5309
It allows non-logged user to access public pages of applications restricted to a group

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
2018-02-28 20:35:53 +01:00
Morris Jobke cf35c4b03a
Provide translated error message for permission error
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-26 17:00:29 +01:00
Morris Jobke d3d045dd5c
Remove unused import statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-14 16:55:43 +01:00
Roeland Jago Douma c0adfa4375
Don't perform CSRF check on OCS routes with Bearer auth
Fixes #5694

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-29 14:37:18 +01:00
Morris Jobke 2a38605545
Properly log the full exception instead of only the message
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-23 10:57:21 +01:00
Roeland Jago Douma 57050146f6
Move passwordconfirmation to its own midleware
Add tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-02 21:58:14 +01:00
Bjoern Schiessle 1bcbeb24bc
disable password confirmation with SSO
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-02 20:30:37 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Morris Jobke ce0c45a4ea
Use proper DI for security middleware for app enabled check
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 15:36:28 +02:00
Roeland Jago Douma c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Lukas Reschke f93a82b8b0
Remove explicit type hints for Controller
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +02:00
Morris Jobke 84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Roeland Jago Douma 3548603a88
Fix middleware implementations signatures
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Joas Schilling 72c1b24844
Check whether the $_SERVER['REQUEST_*'] vars exist before using them
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 14:33:27 +02:00
Morris Jobke c54a59d51e
Remove unused use statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Lukas Reschke 8149945a91
Make BruteForceProtection annotation more clever
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Lukas Reschke a1ae5275f9
Move to dedicated MiddleWare
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke 66835476b5
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Bjoern Schiessle 32e0ec3e58
handle optional annotation parameters
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Bjoern Schiessle df296249d6
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Joas Schilling 61e15988a0
Allow to overwrite the message which we already do in SubadminMiddleware
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 16:23:49 +01:00
Morris Jobke d86b29b42b Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Joas Schilling bb7787a157
Add the 15 seconds to the window, instead of removing
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling 827b6a610e
Introduce PasswordConfirmRequired annotation
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Christoph Wurst 0ebffa4a5f do not double encode the redirect url
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Roeland Jago Douma e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma 7c078a81b4
Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
2016-09-15 13:11:36 +02:00
Roeland Jago Douma 5c718b13b8
We should properly check for 'true' instaed of the bool 2016-08-01 08:52:50 +02:00
Roeland Jago Douma f7f5216aa3
Dark hackery to not always disable CSRF for OCS controllers 2016-07-29 15:49:27 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke c385423d10 Merge pull request #479 from nextcloud/add-bruteforce-throttler
Implement brute force protection
2016-07-21 00:31:02 +02:00
Lukas Reschke ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Lukas Reschke a299fa38a9
[master] Port Same-Site Cookies to master
Fixes https://github.com/nextcloud/server/issues/50
2016-07-20 18:37:57 +02:00
Christoph Wurst 82b50d126c
add PasswordLoginForbiddenException 2016-06-17 11:02:07 +02:00
Christoph Wurst 331d88bcab
create session token on all APIs 2016-06-13 15:38:34 +02:00
Christoph Wurst 9997c431c3
use client login method on CORS routes 2016-06-08 15:18:53 +02:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Roeland Jago Douma 4eebccd81f
Fix inconsistent nameing of AppFramework 2016-04-22 16:00:00 +02:00