The "named" Mink selector first tries to find an exact match for its
locator and then, if not found, tries to find a partial match. Besides
other harder to track problems (see comment in the commit in which the
"content" locator was removed), this could cause, for example, finding
an action link titled "Favorited" when looking for the action link
titled "Favorite" (that is, one that conveys the opposite state to the
one found).
Although currently all the acceptance tests are compatible with both the
"named" and the "named_exact" Mink selectors the predefined locators are
modified to use the "named_exact" Mink selector to make them more
future-proof; the "named" Mink selector can still be used if needed
through the "customSelector" method in the builder object.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The "content" locator uses the "named" Mink selector and the "content"
Mink locator to find the element. The "named" Mink first tries to find
the elements whose content match exactly the given content but, if none
is found, then it tries to find elements that just contain the given
content.
This behaviour can lead to hard to track issues. Finding the exact match
and, if not found, finding the partial match is done in quick
succession. In most cases, when looking for an exact match the element
is already there, it is returned, and everything works as expected. Or
it may not be there, but then it is not there either when finding the
partial match, so no element is returned, and everything works as
expected (that is, the actor tries to find again the element after some
time).
However, it can also happen that when looking for an exact match there
is no element yet, but it appears after trying to find the exact match
but before trying to find the partial match. In that situation the
desired element would be returned along with its ancestors. However, as
only the first found element is taken into account and the ancestors
would appear first the find action would be successful, but the returned
element would not be the expected one. This is highly unlikely, yet
possible, and can cause sporadic failures in acceptance tests that,
apparently, work as expected.
Using a "named_exact" Mink selector instead of the "named" Mink selector
does not provide the desired behaviour in most cases either. As it finds
any element whose content matches exactly the given content, looking for
"Hello world" in "<div><p><a>Hello world</a></p></div>" would match the
"div", "p" and "a" elements; in that situation the "div" element would
be the one returned, when typically the "a" element would be the
expected one.
As it is error prone and easily replaceable by more robust locators the
"content" locator was removed from the predefined ones (although it can
still be used if needed through the "customSelector" method in the
builder object).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling.
This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This implements the basics for the new app-password based authentication flow for our clients.
The current implementation tries to keep it as simple as possible and works the following way:
1. Unauthenticated client opens `/index.php/login/flow`
2. User will be asked whether they want to grant access to the client
3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password.
If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler.
While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the
near future we have to think about an automatic migration endpoint so there's that anyways :-)
If the user chooses to use the regular login the following happens:
1. A session state token is written to the session
2. User is redirected to the login page
3. If successfully authenticated they will be redirected to a page redirecting to the POST controller
4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler.
This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
The plain text password for a shared links was hashed and, then, the
hashed password was hashed again and set as the final password. Due to
this the password introduced in the "Authenticate" page for the shared
link was always a wrong password, and thus the file could not be
accessed.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The data storage (the "notebook") is shared between all the actors, so
the data can be stored and retrieved between different steps by any
actor in the same scenario.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
As requested by Morris Jobke, the passwords in the acceptance tests were
modified to make them valid both for a clean Nextcloud server and one
with the password_policy app enabled.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Trying to configure method "getRemember" which cannot be configured
because it does not exist, has not been specified, is final, or is
static
Signed-off-by: Joas Schilling <coding@schilljs.com>
While the risk is actually quite low because one would already have the user session and could potentially do other havoc it makes sense to throttle here in case of invalid previous password attempts.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Each provider just returns what they have so adding an element won't
require changing everything
* Added tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* This allows for effective queries.
* Introduce currentAccess parameter to speciy if the users needs to have
currently acces (deleted incomming group share). (For notifications)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This allows adding rate limiting via annotations to controllers, as one example:
```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```
Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Also adds `\OCP\Mail\IMailer::createEMailTemplate` as helper so the functionality can easily be used within apps.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* currently there are two ways to access default values:
OCP\Defaults or OC_Defaults (which is extended by
OCA\Theming\ThemingDefaults)
* our code used a mixture of both of them, which made
it hard to work on theme values
* this extended the public interface with the missing
methods and uses them everywhere to only rely on the
public interface
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* thanks to @espina2 for make this nice design
* the button says "Set password" if the admin didn't specified a password
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
This is not intended anymore, since it falls back to force english
when the header is not set. Also 0228bc6e66
makes clear that the order should be:
1. User setting
2. Accept language
3. Admin default
This is the case since the commit from above, unless via OCS and DAV.
Both forced to accept-language falling back to english.
By removing the force, it now also matches the w3 priority list:
https://www.w3.org/International/questions/qa-lang-priorities
Signed-off-by: Joas Schilling <coding@schilljs.com>
* added functionality to override config.php values with 'OC_' prefixed environment variables
* use getenv to read environment variables since apache does not set $_ENV variables, fixed test
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Fixes#3890
If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.
See RFC 2616 Section 4.3
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This adds the bruteforce settings app that allows to configure (for now)
subnets that are to be ignored when doing brute force analysis. This can
for example be the LAN since we trust people from there.
* Add app
* Add php tests
* Add js tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
When the instance is not installed don't run the JSCombiner as the appdata folder does not yet exist.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Since reading a file from disks can be costly. Lets store the dependency
json also in memcache.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* success on SQLite and Postgres
* failure on MySQL due to the limited charset that only supports up to 3 bytes
Add config option to update charset of mysql to utf8mb4
* fully optional
* requires additional options set in the database
only disable unicode test on mysql
Fixing ctor call
Adding docker based unit test execution for mysql utf8mb4
Add mysqlmb4 test configuration to Jenkinsfile
fix collation on utf8mb4
Properly setup charset and collation in the doctrine connection
Allow files containing 4-byte chars in case the database supports it
During setup of a mysql database we try to detect if charset 'utf8mb4' can be used
Fix mysql settings
Add console command to migrate the charset
Set ROW_FORMAT before setting collation to mb4
Also select tables with wrong collation
Faster MySQL docker
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Daniel Calviño Sánchez
Christoph Wurst
Robin Appelman
Roeland Jago Douma
Lukas Reschke
Marius Blüm
Arthur Schiwon
Morris Jobke
Bjoern Schiessle
Joas Schilling
Vincent Petry
Piotr Mrówczyński
Georg Ehrke
Jan-Christoph Borchardt
Stefan Weil
Noveen Sachdeva
Roeland Jago Douma
Julius Haertl
Felix A. Epp
Artur Neumann
Roger Szabo
Philipp Schaffrath