TwoFactorChallengeController.php 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Christoph Wurst <christoph@owncloud.com>
  6. * @author Cornelius Kölbel <cornelius.koelbel@netknights.it>
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Lukas Reschke <lukas@statuscode.ch>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. *
  11. * @license AGPL-3.0
  12. *
  13. * This code is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License, version 3,
  15. * as published by the Free Software Foundation.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License, version 3,
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>
  24. *
  25. */
  26. namespace OC\Core\Controller;
  27. use OC\Authentication\TwoFactorAuth\Manager;
  28. use OC_User;
  29. use OC_Util;
  30. use OCP\AppFramework\Controller;
  31. use OCP\AppFramework\Http\RedirectResponse;
  32. use OCP\AppFramework\Http\TemplateResponse;
  33. use OCP\Authentication\TwoFactorAuth\IProvider;
  34. use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP;
  35. use OCP\Authentication\TwoFactorAuth\TwoFactorException;
  36. use OCP\IRequest;
  37. use OCP\ISession;
  38. use OCP\IURLGenerator;
  39. use OCP\IUserSession;
  40. class TwoFactorChallengeController extends Controller {
  41. /** @var Manager */
  42. private $twoFactorManager;
  43. /** @var IUserSession */
  44. private $userSession;
  45. /** @var ISession */
  46. private $session;
  47. /** @var IURLGenerator */
  48. private $urlGenerator;
  49. /**
  50. * @param string $appName
  51. * @param IRequest $request
  52. * @param Manager $twoFactorManager
  53. * @param IUserSession $userSession
  54. * @param ISession $session
  55. * @param IURLGenerator $urlGenerator
  56. */
  57. public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession,
  58. ISession $session, IURLGenerator $urlGenerator) {
  59. parent::__construct($appName, $request);
  60. $this->twoFactorManager = $twoFactorManager;
  61. $this->userSession = $userSession;
  62. $this->session = $session;
  63. $this->urlGenerator = $urlGenerator;
  64. }
  65. /**
  66. * @return string
  67. */
  68. protected function getLogoutUrl() {
  69. return OC_User::getLogoutUrl($this->urlGenerator);
  70. }
  71. /**
  72. * @param IProvider[] $providers
  73. */
  74. private function splitProvidersAndBackupCodes(array $providers): array {
  75. $regular = [];
  76. $backup = null;
  77. foreach ($providers as $provider) {
  78. if ($provider->getId() === 'backup_codes') {
  79. $backup = $provider;
  80. } else {
  81. $regular[] = $provider;
  82. }
  83. }
  84. return [$regular, $backup];
  85. }
  86. /**
  87. * @NoAdminRequired
  88. * @NoCSRFRequired
  89. *
  90. * @param string $redirect_url
  91. * @return TemplateResponse
  92. */
  93. public function selectChallenge($redirect_url) {
  94. $user = $this->userSession->getUser();
  95. $providerSet = $this->twoFactorManager->getProviderSet($user);
  96. $allProviders = $providerSet->getProviders();
  97. list($providers, $backupProvider) = $this->splitProvidersAndBackupCodes($allProviders);
  98. $data = [
  99. 'providers' => $providers,
  100. 'backupProvider' => $backupProvider,
  101. 'providerMissing' => $providerSet->isProviderMissing(),
  102. 'redirect_url' => $redirect_url,
  103. 'logout_url' => $this->getLogoutUrl(),
  104. ];
  105. return new TemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
  106. }
  107. /**
  108. * @NoAdminRequired
  109. * @NoCSRFRequired
  110. * @UseSession
  111. *
  112. * @param string $challengeProviderId
  113. * @param string $redirect_url
  114. * @return TemplateResponse|RedirectResponse
  115. */
  116. public function showChallenge($challengeProviderId, $redirect_url) {
  117. $user = $this->userSession->getUser();
  118. $providerSet = $this->twoFactorManager->getProviderSet($user);
  119. $provider = $providerSet->getProvider($challengeProviderId);
  120. if (is_null($provider)) {
  121. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  122. }
  123. $backupProvider = $providerSet->getProvider('backup_codes');
  124. if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
  125. // Don't show the backup provider link if we're already showing that provider's challenge
  126. $backupProvider = null;
  127. }
  128. $errorMessage = '';
  129. $error = false;
  130. if ($this->session->exists('two_factor_auth_error')) {
  131. $this->session->remove('two_factor_auth_error');
  132. $error = true;
  133. $errorMessage = $this->session->get("two_factor_auth_error_message");
  134. $this->session->remove('two_factor_auth_error_message');
  135. }
  136. $tmpl = $provider->getTemplate($user);
  137. $tmpl->assign('redirect_url', $redirect_url);
  138. $data = [
  139. 'error' => $error,
  140. 'error_message' => $errorMessage,
  141. 'provider' => $provider,
  142. 'backupProvider' => $backupProvider,
  143. 'logout_url' => $this->getLogoutUrl(),
  144. 'redirect_url' => $redirect_url,
  145. 'template' => $tmpl->fetchPage(),
  146. ];
  147. $response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
  148. if ($provider instanceof IProvidesCustomCSP) {
  149. $response->setContentSecurityPolicy($provider->getCSP());
  150. }
  151. return $response;
  152. }
  153. /**
  154. * @NoAdminRequired
  155. * @NoCSRFRequired
  156. * @UseSession
  157. *
  158. * @UserRateThrottle(limit=5, period=100)
  159. *
  160. * @param string $challengeProviderId
  161. * @param string $challenge
  162. * @param string $redirect_url
  163. * @return RedirectResponse
  164. */
  165. public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
  166. $user = $this->userSession->getUser();
  167. $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
  168. if (is_null($provider)) {
  169. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  170. }
  171. try {
  172. if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
  173. if (!is_null($redirect_url)) {
  174. return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
  175. }
  176. return new RedirectResponse(OC_Util::getDefaultPageUrl());
  177. }
  178. } catch (TwoFactorException $e) {
  179. /*
  180. * The 2FA App threw an TwoFactorException. Now we display more
  181. * information to the user. The exception text is stored in the
  182. * session to be used in showChallenge()
  183. */
  184. $this->session->set('two_factor_auth_error_message', $e->getMessage());
  185. }
  186. $this->session->set('two_factor_auth_error', true);
  187. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
  188. 'challengeProviderId' => $provider->getId(),
  189. 'redirect_url' => $redirect_url,
  190. ]));
  191. }
  192. }