TwoFactorChallengeController.php 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Christoph Wurst <christoph@owncloud.com>
  6. * @author Cornelius Kölbel <cornelius.koelbel@netknights.it>
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Lukas Reschke <lukas@statuscode.ch>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. *
  11. * @license AGPL-3.0
  12. *
  13. * This code is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License, version 3,
  15. * as published by the Free Software Foundation.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License, version 3,
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>
  24. *
  25. */
  26. namespace OC\Core\Controller;
  27. use OC\Authentication\TwoFactorAuth\Manager;
  28. use OC_User;
  29. use OC_Util;
  30. use OCP\AppFramework\Controller;
  31. use OCP\AppFramework\Http\RedirectResponse;
  32. use OCP\AppFramework\Http\StandaloneTemplateResponse;
  33. use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin;
  34. use OCP\Authentication\TwoFactorAuth\IProvider;
  35. use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP;
  36. use OCP\Authentication\TwoFactorAuth\TwoFactorException;
  37. use OCP\IRequest;
  38. use OCP\ISession;
  39. use OCP\IURLGenerator;
  40. use OCP\IUserSession;
  41. class TwoFactorChallengeController extends Controller {
  42. /** @var Manager */
  43. private $twoFactorManager;
  44. /** @var IUserSession */
  45. private $userSession;
  46. /** @var ISession */
  47. private $session;
  48. /** @var IURLGenerator */
  49. private $urlGenerator;
  50. /**
  51. * @param string $appName
  52. * @param IRequest $request
  53. * @param Manager $twoFactorManager
  54. * @param IUserSession $userSession
  55. * @param ISession $session
  56. * @param IURLGenerator $urlGenerator
  57. */
  58. public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession,
  59. ISession $session, IURLGenerator $urlGenerator) {
  60. parent::__construct($appName, $request);
  61. $this->twoFactorManager = $twoFactorManager;
  62. $this->userSession = $userSession;
  63. $this->session = $session;
  64. $this->urlGenerator = $urlGenerator;
  65. }
  66. /**
  67. * @return string
  68. */
  69. protected function getLogoutUrl() {
  70. return OC_User::getLogoutUrl($this->urlGenerator);
  71. }
  72. /**
  73. * @param IProvider[] $providers
  74. */
  75. private function splitProvidersAndBackupCodes(array $providers): array {
  76. $regular = [];
  77. $backup = null;
  78. foreach ($providers as $provider) {
  79. if ($provider->getId() === 'backup_codes') {
  80. $backup = $provider;
  81. } else {
  82. $regular[] = $provider;
  83. }
  84. }
  85. return [$regular, $backup];
  86. }
  87. /**
  88. * @NoAdminRequired
  89. * @NoCSRFRequired
  90. *
  91. * @param string $redirect_url
  92. * @return StandaloneTemplateResponse
  93. */
  94. public function selectChallenge($redirect_url) {
  95. $user = $this->userSession->getUser();
  96. $providerSet = $this->twoFactorManager->getProviderSet($user);
  97. $allProviders = $providerSet->getProviders();
  98. list($providers, $backupProvider) = $this->splitProvidersAndBackupCodes($allProviders);
  99. $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
  100. $data = [
  101. 'providers' => $providers,
  102. 'backupProvider' => $backupProvider,
  103. 'providerMissing' => $providerSet->isProviderMissing(),
  104. 'redirect_url' => $redirect_url,
  105. 'logout_url' => $this->getLogoutUrl(),
  106. 'hasSetupProviders' => !empty($setupProviders),
  107. ];
  108. return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
  109. }
  110. /**
  111. * @NoAdminRequired
  112. * @NoCSRFRequired
  113. * @UseSession
  114. *
  115. * @param string $challengeProviderId
  116. * @param string $redirect_url
  117. * @return StandaloneTemplateResponse|RedirectResponse
  118. */
  119. public function showChallenge($challengeProviderId, $redirect_url) {
  120. $user = $this->userSession->getUser();
  121. $providerSet = $this->twoFactorManager->getProviderSet($user);
  122. $provider = $providerSet->getProvider($challengeProviderId);
  123. if (is_null($provider)) {
  124. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  125. }
  126. $backupProvider = $providerSet->getProvider('backup_codes');
  127. if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
  128. // Don't show the backup provider link if we're already showing that provider's challenge
  129. $backupProvider = null;
  130. }
  131. $errorMessage = '';
  132. $error = false;
  133. if ($this->session->exists('two_factor_auth_error')) {
  134. $this->session->remove('two_factor_auth_error');
  135. $error = true;
  136. $errorMessage = $this->session->get("two_factor_auth_error_message");
  137. $this->session->remove('two_factor_auth_error_message');
  138. }
  139. $tmpl = $provider->getTemplate($user);
  140. $tmpl->assign('redirect_url', $redirect_url);
  141. $data = [
  142. 'error' => $error,
  143. 'error_message' => $errorMessage,
  144. 'provider' => $provider,
  145. 'backupProvider' => $backupProvider,
  146. 'logout_url' => $this->getLogoutUrl(),
  147. 'redirect_url' => $redirect_url,
  148. 'template' => $tmpl->fetchPage(),
  149. ];
  150. $response = new StandaloneTemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
  151. if ($provider instanceof IProvidesCustomCSP) {
  152. $response->setContentSecurityPolicy($provider->getCSP());
  153. }
  154. return $response;
  155. }
  156. /**
  157. * @NoAdminRequired
  158. * @NoCSRFRequired
  159. * @UseSession
  160. *
  161. * @UserRateThrottle(limit=5, period=100)
  162. *
  163. * @param string $challengeProviderId
  164. * @param string $challenge
  165. * @param string $redirect_url
  166. * @return RedirectResponse
  167. */
  168. public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
  169. $user = $this->userSession->getUser();
  170. $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
  171. if (is_null($provider)) {
  172. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  173. }
  174. try {
  175. if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
  176. if (!is_null($redirect_url)) {
  177. return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
  178. }
  179. return new RedirectResponse(OC_Util::getDefaultPageUrl());
  180. }
  181. } catch (TwoFactorException $e) {
  182. /*
  183. * The 2FA App threw an TwoFactorException. Now we display more
  184. * information to the user. The exception text is stored in the
  185. * session to be used in showChallenge()
  186. */
  187. $this->session->set('two_factor_auth_error_message', $e->getMessage());
  188. }
  189. $this->session->set('two_factor_auth_error', true);
  190. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
  191. 'challengeProviderId' => $provider->getId(),
  192. 'redirect_url' => $redirect_url,
  193. ]));
  194. }
  195. /**
  196. * @NoAdminRequired
  197. * @NoCSRFRequired
  198. */
  199. public function setupProviders() {
  200. $user = $this->userSession->getUser();
  201. $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
  202. $data = [
  203. 'providers' => $setupProviders,
  204. 'logout_url' => $this->getLogoutUrl(),
  205. ];
  206. $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
  207. return $response;
  208. }
  209. /**
  210. * @NoAdminRequired
  211. * @NoCSRFRequired
  212. */
  213. public function setupProvider(string $providerId) {
  214. $user = $this->userSession->getUser();
  215. $providers = $this->twoFactorManager->getLoginSetupProviders($user);
  216. $provider = null;
  217. foreach ($providers as $p) {
  218. if ($p->getId() === $providerId) {
  219. $provider = $p;
  220. break;
  221. }
  222. }
  223. if ($provider === null) {
  224. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  225. }
  226. /** @var IActivatableAtLogin $provider */
  227. $tmpl = $provider->getLoginSetup($user)->getBody();
  228. $data = [
  229. 'provider' => $provider,
  230. 'logout_url' => $this->getLogoutUrl(),
  231. 'template' => $tmpl->fetchPage(),
  232. ];
  233. $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
  234. return $response;
  235. }
  236. /**
  237. * @NoAdminRequired
  238. * @NoCSRFRequired
  239. *
  240. * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
  241. */
  242. public function confirmProviderSetup(string $providerId) {
  243. return new RedirectResponse($this->urlGenerator->linkToRoute(
  244. 'core.TwoFactorChallenge.showChallenge',
  245. [
  246. 'challengeProviderId' => $providerId,
  247. ]
  248. ));
  249. }
  250. }