-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
two factor auth #24559
two factor auth #24559
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
<?php | ||
|
||
/** | ||
* @author Christoph Wurst <[email protected]> | ||
* | ||
* @copyright Copyright (c) 2016, ownCloud, Inc. | ||
* @license AGPL-3.0 | ||
* | ||
* This code is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License, version 3, | ||
* as published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License, version 3, | ||
* along with this program. If not, see <http://www.gnu.org/licenses/> | ||
* | ||
*/ | ||
|
||
namespace OC\Core\Command\TwoFactorAuth; | ||
|
||
use OC\Authentication\TwoFactorAuth\Manager; | ||
use OC\User\Manager as UserManager; | ||
use OC\Core\Command\Base; | ||
use Symfony\Component\Console\Input\InputArgument; | ||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
|
||
class Disable extends Base { | ||
|
||
/** @var Manager */ | ||
private $manager; | ||
|
||
/** @var UserManager */ | ||
private $userManager; | ||
|
||
public function __construct(Manager $manager, UserManager $userManager) { | ||
parent::__construct('twofactorauth:disable'); | ||
$this->manager = $manager; | ||
$this->userManager = $userManager; | ||
} | ||
|
||
protected function configure() { | ||
parent::configure(); | ||
|
||
$this->setName('twofactorauth:disable'); | ||
$this->setDescription('Disable two-factor authentication for a user'); | ||
$this->addArgument('uid', InputArgument::REQUIRED); | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output) { | ||
$uid = $input->getArgument('uid'); | ||
$user = $this->userManager->get($uid); | ||
if (is_null($user)) { | ||
$output->writeln("<error>Invalid UID</error>"); | ||
return; | ||
} | ||
$this->manager->disableTwoFactorAuthentication($user); | ||
$output->writeln("Two-factor authentication disabled for user $uid"); | ||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
<?php | ||
|
||
/** | ||
* @author Christoph Wurst <[email protected]> | ||
* | ||
* @copyright Copyright (c) 2016, ownCloud, Inc. | ||
* @license AGPL-3.0 | ||
* | ||
* This code is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License, version 3, | ||
* as published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License, version 3, | ||
* along with this program. If not, see <http://www.gnu.org/licenses/> | ||
* | ||
*/ | ||
|
||
namespace OC\Core\Command\TwoFactorAuth; | ||
|
||
use OC\Authentication\TwoFactorAuth\Manager; | ||
use OC\User\Manager as UserManager; | ||
use OC\Core\Command\Base; | ||
use Symfony\Component\Console\Input\InputArgument; | ||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
|
||
class Enable extends Base { | ||
|
||
/** @var Manager */ | ||
private $manager; | ||
|
||
/** @var UserManager */ | ||
private $userManager; | ||
|
||
public function __construct(Manager $manager, UserManager $userManager) { | ||
parent::__construct('twofactorauth:enable'); | ||
$this->manager = $manager; | ||
$this->userManager = $userManager; | ||
} | ||
|
||
protected function configure() { | ||
parent::configure(); | ||
|
||
$this->setName('twofactorauth:enable'); | ||
$this->setDescription('Enable two-factor authentication for a user'); | ||
$this->addArgument('uid', InputArgument::REQUIRED); | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output) { | ||
$uid = $input->getArgument('uid'); | ||
$user = $this->userManager->get($uid); | ||
if (is_null($user)) { | ||
$output->writeln("<error>Invalid UID</error>"); | ||
return; | ||
} | ||
$this->manager->enableTwoFactorAuthentication($user); | ||
$output->writeln("Two-factor authentication enabled for user $uid"); | ||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
<?php | ||
|
||
/** | ||
* @author Christoph Wurst <[email protected]> | ||
* | ||
* @copyright Copyright (c) 2016, ownCloud, Inc. | ||
* @license AGPL-3.0 | ||
* | ||
* This code is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License, version 3, | ||
* as published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License, version 3, | ||
* along with this program. If not, see <http://www.gnu.org/licenses/> | ||
* | ||
*/ | ||
|
||
namespace OC\Core\Controller; | ||
|
||
use OC\Authentication\TwoFactorAuth\Manager; | ||
use OCP\AppFramework\Controller; | ||
use OCP\AppFramework\Http\RedirectResponse; | ||
use OCP\AppFramework\Http\TemplateResponse; | ||
use OCP\IRequest; | ||
use OCP\ISession; | ||
use OCP\IURLGenerator; | ||
use OCP\IUserSession; | ||
|
||
class TwoFactorChallengeController extends Controller { | ||
|
||
/** @var Manager */ | ||
private $twoFactorManager; | ||
|
||
/** @var IUserSession */ | ||
private $userSession; | ||
|
||
/** @var ISession */ | ||
private $session; | ||
|
||
/** @var IURLGenerator */ | ||
private $urlGenerator; | ||
|
||
/** | ||
* @param string $appName | ||
* @param IRequest $request | ||
* @param Manager $twoFactorManager | ||
* @param IUserSession $userSession | ||
* @param ISession $session | ||
* @param IURLGenerator $urlGenerator | ||
*/ | ||
public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession, | ||
ISession $session, IURLGenerator $urlGenerator) { | ||
parent::__construct($appName, $request); | ||
$this->twoFactorManager = $twoFactorManager; | ||
$this->userSession = $userSession; | ||
$this->session = $session; | ||
$this->urlGenerator = $urlGenerator; | ||
} | ||
|
||
/** | ||
* @NoCSRFRequired | ||
* @PublicPage | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd prefer a new annotation like Or add some more handling in the controller to ensure that not-logged in users won't see it and logged-in users only if the state is required. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah. That's what the TwoFactorMiddleware.php should do. Gotcha. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Exactly. Anything I need to change here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not at the moment :) |
||
* | ||
* @return TemplateResponse | ||
*/ | ||
public function selectChallenge() { | ||
$user = $this->userSession->getUser(); | ||
$providers = $this->twoFactorManager->getProviders($user); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. which provider wins if there are multiple ones ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. None. The users chooses between all providers enabled for the user There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, so the challenge page will display multiple boxes, one for each provider There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
$data = [ | ||
'providers' => $providers, | ||
]; | ||
return new TemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest'); | ||
} | ||
|
||
/** | ||
* @NoCSRFRequired | ||
* @PublicPage | ||
* @UseSession | ||
* | ||
* @param string $challengeProviderId | ||
* @return TemplateResponse | ||
*/ | ||
public function showChallenge($challengeProviderId) { | ||
$user = $this->userSession->getUser(); | ||
$provider = $this->twoFactorManager->getProvider($user, $challengeProviderId); | ||
if (is_null($provider)) { | ||
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); | ||
} | ||
|
||
if ($this->session->exists('two_factor_auth_error')) { | ||
$this->session->remove('two_factor_auth_error'); | ||
$error = true; | ||
} else { | ||
$error = false; | ||
} | ||
$data = [ | ||
'error' => $error, | ||
'provider' => $provider, | ||
'template' => $provider->getTemplate($user)->fetchPage(), | ||
]; | ||
return new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest'); | ||
} | ||
|
||
/** | ||
* @NoCSRFRequired | ||
* @PublicPage | ||
* @UseSession | ||
* | ||
* @param string $challengeProviderId | ||
* @param string $challenge | ||
* @return RedirectResponse | ||
*/ | ||
public function solveChallenge($challengeProviderId, $challenge) { | ||
$user = $this->userSession->getUser(); | ||
$provider = $this->twoFactorManager->getProvider($user, $challengeProviderId); | ||
if (is_null($provider)) { | ||
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); | ||
} | ||
|
||
if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) { | ||
return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); | ||
} | ||
|
||
$this->session->set('two_factor_auth_error', true); | ||
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', ['challengeProviderId' => $provider->getId()])); | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PHPDoc :)