protected function execute(InputInterface $input, OutputInterface $output) { $uid = $input->getArgument('uid'); $user = $this->userManager->get($uid); if (is_null($user)) { $output->writeln("<error>Invalid UID</error>"); return; } $this->manager->enableTwoFactorAuthentication($user); $output->writeln("Two-factor authentication enabled for user {$uid}"); }
/** * Generate a new access token clients can authenticate with * * @PublicPage * @NoCSRFRequired * * @param string $user * @param string $password * @param string $name the name of the client * @return JSONResponse */ public function generateToken($user, $password, $name = 'unknown client') { if (is_null($user) || is_null($password)) { $response = new JSONResponse(); $response->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY); return $response; } $loginName = $user; $user = $this->userManager->checkPassword($loginName, $password); if ($user === false) { $response = new JSONResponse(); $response->setStatus(Http::STATUS_UNAUTHORIZED); return $response; } if ($this->twoFactorAuthManager->isTwoFactorAuthenticated($user)) { $resp = new JSONResponse(); $resp->setStatus(Http::STATUS_UNAUTHORIZED); return $resp; } $token = $this->secureRandom->generate(128); $this->tokenProvider->generateToken($token, $user->getUID(), $loginName, $password, $name, IToken::PERMANENT_TOKEN); return ['token' => $token]; }
/** * @expectedException \Sabre\DAV\Exception\NotAuthenticated * @expectedExceptionMessage 2FA challenge not passed. */ public function testAuthenticateAlreadyLoggedInWithoutTwoFactorChallengePassed() { $request = $this->getMockBuilder('Sabre\\HTTP\\RequestInterface')->disableOriginalConstructor()->getMock(); $response = $this->getMockBuilder('Sabre\\HTTP\\ResponseInterface')->disableOriginalConstructor()->getMock(); $this->userSession->expects($this->any())->method('isLoggedIn')->willReturn(true); $this->request->expects($this->any())->method('getMethod')->willReturn('PROPFIND'); $this->request->expects($this->any())->method('isUserAgent')->with(['/^Mozilla\\/5\\.0 \\([A-Za-z ]+\\) (mirall|csyncoC)\\/.*$/', '/^Mozilla\\/5\\.0 \\(Android\\) ownCloud\\-android.*$/', '/^Mozilla\\/5\\.0 \\(iOS\\) ownCloud\\-iOS.*$/'])->willReturn(false); $this->session->expects($this->any())->method('get')->with('AUTHENTICATED_TO_DAV_BACKEND')->will($this->returnValue('LoggedInUser')); $user = $this->getMockBuilder('\\OCP\\IUser')->disableOriginalConstructor()->getMock(); $user->expects($this->any())->method('getUID')->will($this->returnValue('LoggedInUser')); $this->userSession->expects($this->any())->method('getUser')->will($this->returnValue($user)); $this->request->expects($this->once())->method('passesCSRFCheck')->willReturn(true); $this->twoFactorManager->expects($this->once())->method('needsSecondFactor')->will($this->returnValue(true)); $this->auth->check($request, $response); }
/** * @NoAdminRequired * @NoCSRFRequired * @UseSession * * @param string $challengeProviderId * @param string $challenge * @param string $redirect_url * @return RedirectResponse */ public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) { $user = $this->userSession->getUser(); $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId); if (is_null($provider)) { return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); } if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) { if (!is_null($redirect_url)) { return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url))); } return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); } $this->session->set('two_factor_auth_error', true); return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', ['challengeProviderId' => $provider->getId(), 'redirect_url' => $redirect_url])); }
private function checkTwoFactor($controller, $methodName) { // If two-factor auth is in progress disallow access to any controllers // defined within "LoginController". $needsSecondFactor = $this->twoFactorManager->needsSecondFactor(); $twoFactor = $controller instanceof TwoFactorChallengeController; // Disallow access to any controller if 2FA needs to be checked if ($needsSecondFactor && !$twoFactor) { throw new TwoFactorAuthRequiredException(); } // Allow access to the two-factor controllers only if two-factor authentication // is in progress. if (!$needsSecondFactor && $twoFactor) { throw new UserAlreadyLoggedInException(); } }
/** * @PublicPage * @UseSession * * @param string $user * @param string $password * @param string $redirect_url * @return RedirectResponse */ public function tryLogin($user, $password, $redirect_url) { $originalUser = $user; // TODO: Add all the insane error handling /* @var $loginResult IUser */ $loginResult = $this->userManager->checkPassword($user, $password); if ($loginResult === false) { $users = $this->userManager->getByEmail($user); // we only allow login by email if unique if (count($users) === 1) { $user = $users[0]->getUID(); $loginResult = $this->userManager->checkPassword($user, $password); } } if ($loginResult === false) { $this->session->set('loginMessages', [['invalidpassword']]); // Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name $args = !is_null($user) ? ['user' => $originalUser] : []; return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); } // TODO: remove password checks from above and let the user session handle failures // requires https://github.com/owncloud/core/pull/24616 $this->userSession->login($user, $password); $this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password); if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) { $this->twoFactorManager->prepareTwoFactorLogin($loginResult); if (!is_null($redirect_url)) { return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', ['redirect_url' => $redirect_url])); } return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); } if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) { $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { return new RedirectResponse($location); } } return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); }
/** * @param RequestInterface $request * @param ResponseInterface $response * @return array * @throws NotAuthenticated */ private function auth(RequestInterface $request, ResponseInterface $response) { $forcedLogout = false; if (!$this->request->passesCSRFCheck() && $this->requiresCSRFCheck()) { // In case of a fail with POST we need to recheck the credentials if ($this->request->getMethod() === 'POST') { $forcedLogout = true; } else { $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.'); } } if ($forcedLogout) { $this->userSession->logout(); } else { if ($this->twoFactorManager->needsSecondFactor()) { throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.'); } if (\OC_User::handleApacheAuth() || $this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)) || $this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null) { $user = $this->userSession->getUser()->getUID(); \OC_Util::setupFS($user); $this->currentUser = $user; $this->session->close(); return [true, $this->principalPrefix . $user]; } } if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup $response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"'); $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); } $data = parent::check($request, $response); if ($data[0] === true) { $startPos = strrpos($data[1], '/') + 1; $user = $this->userSession->getUser()->getUID(); $data[1] = substr_replace($data[1], $user, $startPos); } return $data; }
public function testPrepareTwoFactorLogin() { $this->user->expects($this->once())->method('getUID')->will($this->returnValue('ferdinand')); $this->session->expects($this->once())->method('set')->with('two_factor_auth_uid', 'ferdinand'); $this->manager->prepareTwoFactorLogin($this->user); }