/** * This is being run in normal order before the controller is being * called which allows several modifications and checks * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @throws SecurityException * @since 6.0.0 */ public function beforeController($controller, $methodName) { // ensure that @SSOCORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors if ($this->reflector->hasAnnotation('SSOCORS') && !$this->reflector->hasAnnotation('PublicPage')) { $authInfo = AuthInfo::get(); if (!\OC::$server->getSystemConfig()->getValue("sso_one_time_password")) { $tokenVaildator = \OCA\SingleSignOn\RequestManager::send(\OCA\SingleSignOn\ISingleSignOnRequest::VALIDTOKEN, $authInfo); if (!$tokenVaildator) { throw new SecurityException('Token expired!', Http::STATUS_UNAUTHORIZED); } } $userInfo = \OCA\SingleSignOn\RequestManager::getRequest(\OCA\SingleSignOn\ISingleSignOnRequest::INFO); $this->session->logout(); if (!\OCA\SingleSignOn\Util::login($userInfo, $authInfo)) { throw new SecurityException('SSO CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } }
public static function webDavLogin($userID, $password) { $config = \OC::$server->getSystemConfig(); RequestManager::init($config->getValue("sso_portal_url"), $config->getValue("sso_requests")); $authInfo = WebDavAuthInfo::get($userID, $password); $userInfo = RequestManager::getRequest(ISingleSignOnRequest::INFO); $userInfo->setup(array("action" => "webDavLogin")); if (!$userInfo->send($authInfo)) { return; } if ($config->getValue("sso_multiple_region")) { self::redirectRegion($userInfo, $config->getValue("sso_regions"), $config->getValue("sso_owncloud_url")); } if (!\OC_User::userExists($userInfo->getUserId())) { return self::firstLogin($userInfo, $authInfo); } if ($authInfo) { return self::login($userInfo, $authInfo); } return false; }
public function process() { $ssoUrl = $this->config->getValue("sso_login_url"); $userInfo = RequestManager::getRequest(ISingleSignOnRequest::INFO); $authInfo = AuthInfo::get(); $userInfo->setup(array("action" => "webLogin")); if ($this->unnecessaryAuth($this->request->getRequestUri())) { $uri = substr($this->request->getRequestUri(), -1 * strlen($this->config->getValue("sso_admin_login_uri"))); if ($uri === $this->config->getValue("sso_admin_login_uri") && $this->visitPort != $this->config->getValue("sso_admin_login_port")) { Util::redirect($this->defaultPageUrl); } return; } if (isset($_GET["logout"]) && $_GET["logout"] == "true") { if ($this->config->getValue("sso_global_logout")) { RequestManager::send(ISingleSignOnRequest::INVALIDTOKEN, $authInfo); } \OC_User::logout(); $template = new \OC_Template("singlesignon", "logout", "guest"); $template->printPage(); die; } if (\OC_User::isLoggedIn() && $this->config->getValue("sso_one_time_password")) { return; } if (\OC_User::isLoggedIn() && !$authInfo) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "unauthorizedActions", "guest"); $template->printPage(); die; } if (\OC_User::isLoggedIn() && (!RequestManager::send(ISingleSignOnRequest::VALIDTOKEN, $authInfo) && !$this->config->getValue("sso_one_time_password"))) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "tokenExpired", "guest"); $template->printPage(); die; } if (!$authInfo || !RequestManager::send(ISingleSignOnRequest::VALIDTOKEN, $authInfo) && !$this->config->getValue("sso_one_time_password")) { $url = $this->redirectUrl ? $ssoUrl . $this->config->getValue("sso_return_url_key") . $this->redirectUrl : $ssoUrl; Util::redirect($url); } if (\OC_User::isLoggedIn()) { return; } if (empty($ssoUrl) || !$userInfo->send($authInfo) || !$userInfo->hasPermission()) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "verificationFailure", "guest"); $template->printPage(); if ($userInfo->hasErrorMsg()) { \OCP\Util::writeLog("Single Sign-On", $userInfo->getErrorMsg(), \OCP\Util::ERROR); } die; } if ($this->config->getValue("sso_multiple_region")) { Util::redirectRegion($userInfo, $this->config->getValue("sso_regions"), $this->config->getValue("sso_owncloud_url")); } if (!\OC_User::userExists($userInfo->getUserId())) { Util::firstLogin($userInfo, $authInfo); if ($this->request->getHeader("ORIGIN")) { return; } Util::redirect($this->defaultPageUrl); } else { Util::login($userInfo, $authInfo); if ($this->request->getHeader("ORIGIN")) { return; } Util::redirect($this->defaultPageUrl); } }