Commit Graph

177 Commits

Author SHA1 Message Date
Roeland Jago Douma f03eb7ec3c
Remote wipe support
This allows a user to mark a token for remote wipe.
Clients that support this can then wipe the device properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-20 20:50:27 +02:00
Roeland Jago Douma 579162d7b9
Allow 2FA to be setup on first login
Once 2FA is enforced for a user and they have no 2FA setup yet this will
now prompt them with a setup screen. Given that providers are enabled
that allow setup then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-17 10:11:53 +02:00
Christoph Wurst 170582d4f5
Add a login chain to reduce the complexity of LoginController::tryLogin
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-07 18:04:36 +02:00
Daniel Kesselberg 34e849d702
Add interface INamedToken
Remove $token instanceof DefaultToken || $token instanceof PublicKeyToken

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-02-02 20:21:57 +01:00
Roeland Jago Douma ac8a6e2244
Clean pending 2FA authentication on password reset
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.

The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-29 13:08:56 +01:00
Daniel Kesselberg ec8aefc762
Read openssl error and log
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-12-06 21:27:57 +01:00
Roeland Jago Douma 674930da7f
Move ExpiredTokenException to the correct namespace
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-30 19:30:45 +01:00
Roeland Jago Douma 34f5f4091e
Catch more occurences where ExpiredTokenException can be thrown
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 14:37:08 +02:00
Roeland Jago Douma b3a92a4e39
Expired PK tokens should not fall back to legacy tokens
Fixes #11919

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 14:34:29 +02:00
Christoph Wurst 83e994c11f
Make it possible to enforce mandatory 2FA for groups
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-10-15 08:22:52 +02:00
Roeland Jago Douma 19f84f7b54
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:54 +02:00
Roeland Jago Douma d9febae5b2
Update all the publickey tokens if needed on web login
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token

This ensures that your marked as invalid tokens work again if you once
login on the web.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:54 +02:00
Roeland Jago Douma 00e99af586
Mark token as invalid if the password doesn't match
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:44 +02:00
Roeland Jago Douma a95154642d
Emit event on enablign or disabling of 2FA provider
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-01 15:35:24 +02:00
Christoph Wurst 259c0ce11d
Add mandatory 2FA service/class
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-09-30 11:47:29 +02:00
Morris Jobke ee73f6c416
Merge pull request #11240 from nextcloud/feature/noid/consider-openssl-settings-from-config.php
Consider openssl settings from config.php
2018-09-25 18:04:20 +02:00
Christoph Wurst 7586b19e52
Only allow 2FA state changs if providers support the operation
Ref https://github.com/nextcloud/server/issues/11019.

Add `twofactorauth:cleanup` command

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-09-25 09:54:20 +02:00
Joas Schilling f258e65f13
Also adjust the expiration of PublicKeyTokenProvider
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-09-20 09:54:27 +02:00
Joas Schilling 5e6187926f
Copy the expiration from 480864b3e3 to getTokenById
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-09-19 17:55:48 +02:00
Daniel Kesselberg 90a9a1ecc6
Consider openssl settings from config.php
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-09-16 11:51:15 +02:00
Roeland Jago Douma 47b46fa69d
Expire tokens hardening
Just to be sure that the field is also not 0

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-07 10:01:31 +02:00
Christoph Wurst fb98db7da7
Fix handlng of concurrent inserts of the 2FA provider registry DAO
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-31 11:46:27 +02:00
Christoph Wurst 1124b87bc0
Fix 2FA being enforced if only backup codes provider is active
Fixes https://github.com/nextcloud/server/issues/10634.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-10 09:26:40 +02:00
Christoph Wurst 8db66d5dfb
Fix double-inserts of the same provider state
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-09 13:56:04 +02:00
Christoph Wurst d8197f2b97
Rename providerset method to get primary providers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-08 20:28:21 +02:00
Christoph Wurst c6e47e8a51
Fix login redirection if only one 2FA provider is active
Fixes https://github.com/nextcloud/server/issues/10500.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-08 15:25:59 +02:00
Christoph Wurst d248a0bd1e
Fix 2FA provider registry population on login
If the 2FA provider registry has not been populated yet, we have to make
sure all available providers are loaded and queried on login. Otherwise
previously active 2FA providers aren't detected as enabled.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-08 06:57:52 +02:00
Christoph Wurst fc149bab3c
Fix duplicate inserts in the 2fa provider registry DAO
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-07-31 06:43:44 +02:00
Christoph Wurst 7be465febe
Make new classes strict and fix license header
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-06-25 07:38:52 +02:00
Christoph Wurst 13d93f5b25
Make 2FA providers stateful
This adds persistence to the Nextcloud server 2FA logic so that the server
knows which 2FA providers are enabled for a specific user at any time, even
when the provider is not available.

The `IStatefulProvider` interface was added as tagging interface for providers
that are compatible with this new API.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-06-20 08:30:26 +02:00
Roeland Jago Douma 82959ca93e
Comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-19 07:46:43 +02:00
Roeland Jago Douma 970dea9264
Add getProvider helper function
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma df34571d1d
Use constant for token version
And don't set the version in the constructor. That would possible cause
to many updates.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 9e7a95fe58
Add more tests
* Add a lot of tests
* Fixes related to those tests
* Fix tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 1999f7ce7b
Generate the new publicKey tokens by default!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma f168ecfa7a
Actually convert the token
* When getting the token
* When rotating the token

* Also store the encrypted password as base64 to avoid weird binary
stuff

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma d03d16a936
Add publickey provider to manager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 4bbc21cb21
SetPassword on PublicKeyTokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 4c0d710479
Just pass uid to the Token stuff
We don't have user objects in the code everywhere

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 1f17010e0b
Add first tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 02e0af1287
Initial PKT implementation
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 3dd5f3d5f6
Abstract the Provider via a manager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:53 +02:00
Roeland Jago Douma 480864b3e3
Make the token expiration also work for autocasting 0
Some bad databases don't respect the default null apprently.
Now even if they cast it to 0 it should work just fine.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-08 16:20:43 +02:00
Roeland Jago Douma 6b7cf46727
Certain tokens can expire
However due to the nature of what we store in the token (encrypted
passwords etc). We can't just delete the tokens because that would make
the oauth refresh useless.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-17 16:10:19 +02:00
Roeland Jago Douma aba255997a
Allow the rotation of tokens
This for example will allow rotating the apptoken for oauth

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-16 19:27:19 +02:00
Roeland Jago Douma 4ea2daf04d
Refix scope
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-15 11:41:27 +02:00
Roeland Jago Douma 466297829e
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-15 10:56:40 +02:00
Roeland Jago Douma 47388e1cfe
Make the Token Auth code strict
In preparation for #9441

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-15 10:32:30 +02:00
Roeland Jago Douma 610c66520b
Move over TokenMapper
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-10 19:47:43 +02:00
Morris Jobke eb51f06a3b
Use ::class statement instead of string
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-29 12:03:47 +01:00
Roeland Jago Douma eddd135f14
Dispatch event on twofactor failure and success
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-25 13:25:09 +01:00
Flávio Gomes da Silva Lisboa 5ca9a7d6bc
Loss of performance on Login after upgrade from NC10 + LDAP to NC 12 + LDAP #6732
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-11-27 09:22:44 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Christoph Wurst 38bb6e1477
Fix duplicate session token after remembered login
On a remembered login session, we create a new session token
in the database with the values of the old one. As we actually
don't need the old session token anymore, we can delete it right
away.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-20 21:39:31 +02:00
Roeland Jago Douma 9163cf9241
Fix AppPassword 2FA auth
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-12 22:28:43 +02:00
Roeland Jago Douma b96485b6bd
Fix login with basic auth
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-05 12:24:41 +02:00
Roeland Jago Douma 84b7022118
Improve 2FA
* Store the auth state in the session so we don't have to query it every
time.
* Added some tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-29 20:27:36 +02:00
Joas Schilling fc22a2cb07
Fix auth provider
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-02 09:48:16 +02:00
Joas Schilling a76d4ef04e
Fix clob comparison
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-02 09:48:15 +02:00
Roeland Jago Douma 5f227bd93b
More phpstorm inspection fixes
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 11:39:29 +02:00
Marcel Waldvogel 4e42f059ed Minor typos
Signed-off-by: Marcel Waldvogel <marcel.waldvogel@uni-konstanz.de>
2017-07-21 09:50:44 +02:00
Lukas Reschke 7976927628 Merge pull request #4894 from nextcloud/generic-security-activities
Change 2FA activities to more generic security activities
2017-05-19 00:50:44 +02:00
Christoph Wurst 0928b5f621
Change 2FA activities to more generic security activities
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-05-18 22:10:57 +02:00
Lukas Reschke 77827ebf11
Rename table back to lowercase
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:09 +02:00
Bjoern Schiessle 1eb7f4956b
delete auth token when client gets deleted
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-05-18 20:49:07 +02:00
Martin 53b8330e6d
Defining App "cron" for "Invalidating tokens older than" message #27167 (#27201)
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-19 22:51:47 -06:00
Christoph Wurst 21d3fe5883
do not hard-require the token provider
The provider might need DB access and therefore depenedency
resolution fails on the setup page where we cannot inject
the db implementation.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:11 +01:00
Christoph Wurst 6f74ecd94a
use login hook credentials as fallback
If no session token is available, we can use the credentials provided
by the login hook.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:11 +01:00
Christoph Wurst 3316a9d294
fix @since annotations (9.1->12)
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:11 +01:00
Christoph Wurst 46adb3eced
replace session implementation if it changes at runtime
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:11 +01:00
Christoph Wurst a6dca9e7a0
add login credential store
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:09 +01:00
Christoph Wurst ed4017dfb4
fix minor issues
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-12-19 11:59:48 +01:00
Christoph Wurst 7ae9442f3d
Publish, parse and filter 2FA activities
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-12-19 11:59:47 +01:00
Lukas Reschke 0cc771ce19 Merge pull request #2353 from nextcloud/renew-session-token-remember
copy remember-me value when renewing a session token
2016-11-28 14:04:13 +01:00
Christoph Wurst 2f36920ddf fix undefined index error when the backup codes provider is not active
In users have not created backup codes yet the app is not enabled for that user
and therefore we got an undefined index error because the code assumed it was
always there. It now properly returns null.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-28 08:48:57 +01:00
Christoph Wurst 2183a1f3e6 copy remember-me value when renewing a session token
On renew, a session token is duplicated. For some reason we did
not copy over the remember-me attribute value. Hence, the new token
was deleted too early in the background job and remember-me did
not work properly.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-27 14:19:57 +01:00
Robin Appelman 73dfe1835a
use lower loglevel for token cleanup messages
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-17 10:42:12 +01:00
Robin Appelman e77432783b
Add test for setting up fake fs
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:24:32 +01:00
Roeland Jago Douma e5bc80b31d
Adds TokenProvider and Mapper tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-16 15:24:31 +01:00
Robin Appelman 4c3d18a9fc
explicit types
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:24:29 +01:00
Robin Appelman a4ea20a259
cast to int
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:24:29 +01:00
Robin Appelman c5df58ec69
phpdoc
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:24:28 +01:00
Robin Appelman 7e9e5db496
fix setscope
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:28 +01:00
Robin Appelman 1afccde16a
allow configuring filesystem access
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
Robin Appelman b4e27d35f5
app password scope wip
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
Robin Appelman 2389e0f250
read lockdown scope from token
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
Christoph Wurst 4da6b20e76 document what the method does
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 17:42:46 +01:00
Lukas Reschke 9d6e01ef40
Add missing tests and fix PHPDoc
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-02 13:39:17 +01:00
Lukas Reschke 271f2a4cff
Fix typ in constant name
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-02 13:39:17 +01:00
Lukas Reschke b269ed5a7b
Fix invalid PHPDocs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-02 13:39:17 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Christoph Wurst 8acb734854
add 2fa backup codes app
* add backup codes app unit tests
* add integration tests for the backup codes app
2016-09-05 08:51:13 +02:00
Christoph Wurst 6af2efb679
prevent infinite redirect loops if the there is no 2fa provider to pass
This fixes infinite loops that are caused whenever a user is about to solve a 2FA
challenge, but the provider app is disabled at the same time. Since the session
value usually indicates that the challenge needs to be solved before we grant access
we have to remove that value instead in this special case.
2016-08-24 10:49:23 +02:00
Christoph Wurst e90f00791d add invalidateOldTokens to IProvider interface 2016-08-02 12:08:13 +02:00
Robin Appelman 681ac9f19f Check if an app provide two-factor-auth providers before we try to use them 2016-07-23 13:26:57 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Vincent Petry 3db5de95bd Merge pull request #25172 from owncloud/token-login-validation
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst b805908dca
update session token password on user password change 2016-06-21 10:24:25 +02:00
Vincent Petry 88b9f5a357 Merge pull request #25162 from owncloud/password-login-forbidden-hint
Password login forbidden hint
2016-06-20 17:05:20 +02:00
Christoph Wurst b0f2878f6e
close cursor after loading a token 2016-06-17 16:13:28 +02:00