Commit Graph

106 Commits

Author SHA1 Message Date
Christoph Wurst 2006a6dd0e Improve traces of invalid token exceptions
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-05-27 09:21:47 +02:00
Christoph Wurst cb057829f7 Update license headers for 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +02:00
Christoph Wurst 28f8eb5dba Add visibility to all constants
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +02:00
Christoph Wurst caff1023ea Format control structures, classes, methods and function
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.

This also removes and empty lines from method/function bodies at the
beginning and end.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst 41b5e5923a Use exactly one empty line after the namespace declaration
For PSR2

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst 1a9330cd69 Update the license headers for Nextcloud 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +02:00
Christoph Wurst 74936c49ea Remove unused imports
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 22:08:08 +01:00
Roeland Jago Douma 3b26bfe879 Merge pull request #20127 from nextcloud/bugfix/noid/check-user-on-remote-wipe
Check the user on remote wipe
2020-03-24 20:26:52 +01:00
Joas Schilling dc7913efcd Fix recursive calls in logging via server methods
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-03-18 18:59:49 +01:00
Joas Schilling 9935c71ec3 Check the user on remote wipe
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-03-16 09:29:28 +01:00
Christoph Wurst 5bf3d1bb38 Update license headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +01:00
Roeland Jago Douma b371e735cf Throw an invalid token exception is token is marked outdated
This avoids hitting the backend with multiple requests for the same
token. And will help avoid quick LDAP lockouts.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-12-02 18:57:13 +01:00
Christoph Wurst 0299ea0a96 Handle token insert conflicts
Env-based SAML uses the "Apache auth" mechanism to log users in. In this
code path, we first delete all existin auth tokens from the database,
before a new one is inserted. This is problematic for concurrent
requests as they might reach the same code at the same time, hence both
trying to insert a new row wit the same token (the session ID). This
also bubbles up and disables user_saml.

As the token might still be OK (both request will insert the same data),
we can actually just check if the UIDs of the conflict row is the same
as the one we want to insert right now. In that case let's just use the
existing entry and carry on.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-11-26 12:07:12 +01:00
Roeland Jago Douma 68748d4f85 Some php-cs fixes
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Roeland Jago Douma 5122629bb0 Make renewSessionToken return the new token
Avoids directly getting the token again. We just inserted it so it and
have all the info. So that query is just a waste.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-10-09 10:10:37 +02:00
Roeland Jago Douma 3fccc7dc47 Cache the public key tokens
Sometimes (esp with token auth) we query the same token multiple times.
While this is properly indexed and fast it is still a bit of a waste.

Right now it is doing very stupid caching. Which gets invalidate on any
update.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-10-08 13:57:36 +02:00
Daniel Kesselberg ee76b0fbd2 Add uid to delete temp token query
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-09-18 16:52:42 +02:00
Daniel Kesselberg 608f4d3ee9 Pass $configargs to openssl_pkey_export
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-07-21 22:21:59 +02:00
Morris Jobke 4ae17427c5 Error with exception on SSL error
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-07-18 18:50:44 +02:00
Christoph Wurst d058ef2b6c Make it possible to wipe all tokens/devices of a user
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-07-09 13:57:04 +02:00
Christoph Wurst 1c261675ad Refactor: move remote wipe token logic to RW service
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-07-09 13:39:27 +02:00
Christoph Wurst aa6622ccef Decouple remote wipe notifcation channels with events
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-06-27 17:16:18 +02:00
Roeland Jago Douma f03eb7ec3c Remote wipe support
This allows a user to mark a token for remote wipe.
Clients that support this can then wipe the device properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-20 20:50:27 +02:00
Daniel Kesselberg 34e849d702 Add interface INamedToken
Remove $token instanceof DefaultToken || $token instanceof PublicKeyToken

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-02-02 20:21:57 +01:00
Daniel Kesselberg ec8aefc762 Read openssl error and log
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-12-06 21:27:57 +01:00
Roeland Jago Douma 674930da7f Move ExpiredTokenException to the correct namespace
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-30 19:30:45 +01:00
Roeland Jago Douma 34f5f4091e Catch more occurences where ExpiredTokenException can be thrown
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 14:37:08 +02:00
Roeland Jago Douma b3a92a4e39 Expired PK tokens should not fall back to legacy tokens
Fixes #11919

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 14:34:29 +02:00
Roeland Jago Douma 19f84f7b54 Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:54 +02:00
Roeland Jago Douma d9febae5b2 Update all the publickey tokens if needed on web login
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token

This ensures that your marked as invalid tokens work again if you once
login on the web.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:54 +02:00
Roeland Jago Douma 00e99af586 Mark token as invalid if the password doesn't match
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 19:50:44 +02:00
Morris Jobke ee73f6c416 Merge pull request #11240 from nextcloud/feature/noid/consider-openssl-settings-from-config.php
Consider openssl settings from config.php
2018-09-25 18:04:20 +02:00
Joas Schilling f258e65f13 Also adjust the expiration of PublicKeyTokenProvider
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-09-20 09:54:27 +02:00
Joas Schilling 5e6187926f Copy the expiration from 480864b3e3 to getTokenById
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-09-19 17:55:48 +02:00
Daniel Kesselberg 90a9a1ecc6 Consider openssl settings from config.php
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-09-16 11:51:15 +02:00
Roeland Jago Douma 47b46fa69d Expire tokens hardening
Just to be sure that the field is also not 0

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-07 10:01:31 +02:00
Roeland Jago Douma 82959ca93e Comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-19 07:46:43 +02:00
Roeland Jago Douma 970dea9264 Add getProvider helper function
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma df34571d1d Use constant for token version
And don't set the version in the constructor. That would possible cause
to many updates.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 9e7a95fe58 Add more tests
* Add a lot of tests
* Fixes related to those tests
* Fix tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 1999f7ce7b Generate the new publicKey tokens by default!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma f168ecfa7a Actually convert the token
* When getting the token
* When rotating the token

* Also store the encrypted password as base64 to avoid weird binary
stuff

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma d03d16a936 Add publickey provider to manager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 4bbc21cb21 SetPassword on PublicKeyTokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:55 +02:00
Roeland Jago Douma 4c0d710479 Just pass uid to the Token stuff
We don't have user objects in the code everywhere

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 1f17010e0b Add first tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 02e0af1287 Initial PKT implementation
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:54 +02:00
Roeland Jago Douma 3dd5f3d5f6 Abstract the Provider via a manager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-18 22:11:53 +02:00
Roeland Jago Douma 480864b3e3 Make the token expiration also work for autocasting 0
Some bad databases don't respect the default null apprently.
Now even if they cast it to 0 it should work just fine.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-08 16:20:43 +02:00
Roeland Jago Douma 6b7cf46727 Certain tokens can expire
However due to the nature of what we store in the token (encrypted
passwords etc). We can't just delete the tokens because that would make
the oauth refresh useless.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-17 16:10:19 +02:00