nextcloud /
server
@@ -11,43 +11,43 @@ |
||
| 11 | 11 | use OCP\Share\IManager; |
| 12 | 12 | |
| 13 | 13 | class OCSShareAPIMiddleware extends Middleware { |
| 14 | - /** @var IManager */ |
|
| 15 | - private $shareManager; |
|
| 16 | - /** @var IL10N */ |
|
| 17 | - private $l; |
|
| 14 | + /** @var IManager */ |
|
| 15 | + private $shareManager; |
|
| 16 | + /** @var IL10N */ |
|
| 17 | + private $l; |
|
| 18 | 18 | |
| 19 | - public function __construct(IManager $shareManager, |
|
| 20 | - IL10N $l) { |
|
| 21 | - $this->shareManager = $shareManager; |
|
| 22 | - $this->l = $l; |
|
| 23 | - } |
|
| 19 | + public function __construct(IManager $shareManager, |
|
| 20 | + IL10N $l) { |
|
| 21 | + $this->shareManager = $shareManager; |
|
| 22 | + $this->l = $l; |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | - /** |
|
| 26 | - * @param Controller $controller |
|
| 27 | - * @param string $methodName |
|
| 28 | - * |
|
| 29 | - * @throws OCSNotFoundException |
|
| 30 | - */ |
|
| 31 | - public function beforeController($controller, $methodName) { |
|
| 32 | - if ($controller instanceof ShareAPIController) { |
|
| 33 | - if (!$this->shareManager->shareApiEnabled()) { |
|
| 34 | - throw new OCSNotFoundException($this->l->t('Share API is disabled')); |
|
| 35 | - } |
|
| 36 | - } |
|
| 37 | - } |
|
| 25 | + /** |
|
| 26 | + * @param Controller $controller |
|
| 27 | + * @param string $methodName |
|
| 28 | + * |
|
| 29 | + * @throws OCSNotFoundException |
|
| 30 | + */ |
|
| 31 | + public function beforeController($controller, $methodName) { |
|
| 32 | + if ($controller instanceof ShareAPIController) { |
|
| 33 | + if (!$this->shareManager->shareApiEnabled()) { |
|
| 34 | + throw new OCSNotFoundException($this->l->t('Share API is disabled')); |
|
| 35 | + } |
|
| 36 | + } |
|
| 37 | + } |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param Controller $controller |
|
| 41 | - * @param string $methodName |
|
| 42 | - * @param Response $response |
|
| 43 | - * @return Response |
|
| 44 | - */ |
|
| 45 | - public function afterController($controller, $methodName, Response $response) { |
|
| 46 | - if ($controller instanceof ShareAPIController) { |
|
| 47 | - /** @var ShareAPIController $controller */ |
|
| 48 | - $controller->cleanup(); |
|
| 49 | - } |
|
| 39 | + /** |
|
| 40 | + * @param Controller $controller |
|
| 41 | + * @param string $methodName |
|
| 42 | + * @param Response $response |
|
| 43 | + * @return Response |
|
| 44 | + */ |
|
| 45 | + public function afterController($controller, $methodName, Response $response) { |
|
| 46 | + if ($controller instanceof ShareAPIController) { |
|
| 47 | + /** @var ShareAPIController $controller */ |
|
| 48 | + $controller->cleanup(); |
|
| 49 | + } |
|
| 50 | 50 | |
| 51 | - return $response; |
|
| 52 | - } |
|
| 51 | + return $response; |
|
| 52 | + } |
|
| 53 | 53 | } |
@@ -1,6 +1,5 @@ discard block |
||
| 1 | 1 | <?php |
| 2 | 2 | /** |
| 3 | - |
|
| 4 | 3 | * |
| 5 | 4 | * @author Roeland Jago Douma <[email protected]> |
| 6 | 5 | * |
@@ -38,116 +37,116 @@ discard block |
||
| 38 | 37 | |
| 39 | 38 | class OCSMiddleware extends Middleware { |
| 40 | 39 | |
| 41 | - /** @var IRequest */ |
|
| 42 | - private $request; |
|
| 43 | - |
|
| 44 | - /** @var int */ |
|
| 45 | - private $ocsVersion; |
|
| 46 | - |
|
| 47 | - /** |
|
| 48 | - * @param IRequest $request |
|
| 49 | - */ |
|
| 50 | - public function __construct(IRequest $request) { |
|
| 51 | - $this->request = $request; |
|
| 52 | - } |
|
| 53 | - |
|
| 54 | - /** |
|
| 55 | - * @param Controller $controller |
|
| 56 | - * @param string $methodName |
|
| 57 | - */ |
|
| 58 | - public function beforeController($controller, $methodName) { |
|
| 59 | - if ($controller instanceof OCSController) { |
|
| 60 | - if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) { |
|
| 61 | - $this->ocsVersion = 2; |
|
| 62 | - } else { |
|
| 63 | - $this->ocsVersion = 1; |
|
| 64 | - } |
|
| 65 | - $controller->setOCSVersion($this->ocsVersion); |
|
| 66 | - } |
|
| 67 | - } |
|
| 68 | - |
|
| 69 | - /** |
|
| 70 | - * @param Controller $controller |
|
| 71 | - * @param string $methodName |
|
| 72 | - * @param \Exception $exception |
|
| 73 | - * @throws \Exception |
|
| 74 | - * @return BaseResponse |
|
| 75 | - */ |
|
| 76 | - public function afterException($controller, $methodName, \Exception $exception) { |
|
| 77 | - if ($controller instanceof OCSController && $exception instanceof OCSException) { |
|
| 78 | - $code = $exception->getCode(); |
|
| 79 | - if ($code === 0) { |
|
| 80 | - $code = API::RESPOND_UNKNOWN_ERROR; |
|
| 81 | - } |
|
| 82 | - |
|
| 83 | - return $this->buildNewResponse($controller, $code, $exception->getMessage()); |
|
| 84 | - } |
|
| 85 | - |
|
| 86 | - throw $exception; |
|
| 87 | - } |
|
| 88 | - |
|
| 89 | - /** |
|
| 90 | - * @param Controller $controller |
|
| 91 | - * @param string $methodName |
|
| 92 | - * @param Response $response |
|
| 93 | - * @return \OCP\AppFramework\Http\Response |
|
| 94 | - */ |
|
| 95 | - public function afterController($controller, $methodName, Response $response) { |
|
| 96 | - /* |
|
| 40 | + /** @var IRequest */ |
|
| 41 | + private $request; |
|
| 42 | + |
|
| 43 | + /** @var int */ |
|
| 44 | + private $ocsVersion; |
|
| 45 | + |
|
| 46 | + /** |
|
| 47 | + * @param IRequest $request |
|
| 48 | + */ |
|
| 49 | + public function __construct(IRequest $request) { |
|
| 50 | + $this->request = $request; |
|
| 51 | + } |
|
| 52 | + |
|
| 53 | + /** |
|
| 54 | + * @param Controller $controller |
|
| 55 | + * @param string $methodName |
|
| 56 | + */ |
|
| 57 | + public function beforeController($controller, $methodName) { |
|
| 58 | + if ($controller instanceof OCSController) { |
|
| 59 | + if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) { |
|
| 60 | + $this->ocsVersion = 2; |
|
| 61 | + } else { |
|
| 62 | + $this->ocsVersion = 1; |
|
| 63 | + } |
|
| 64 | + $controller->setOCSVersion($this->ocsVersion); |
|
| 65 | + } |
|
| 66 | + } |
|
| 67 | + |
|
| 68 | + /** |
|
| 69 | + * @param Controller $controller |
|
| 70 | + * @param string $methodName |
|
| 71 | + * @param \Exception $exception |
|
| 72 | + * @throws \Exception |
|
| 73 | + * @return BaseResponse |
|
| 74 | + */ |
|
| 75 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 76 | + if ($controller instanceof OCSController && $exception instanceof OCSException) { |
|
| 77 | + $code = $exception->getCode(); |
|
| 78 | + if ($code === 0) { |
|
| 79 | + $code = API::RESPOND_UNKNOWN_ERROR; |
|
| 80 | + } |
|
| 81 | + |
|
| 82 | + return $this->buildNewResponse($controller, $code, $exception->getMessage()); |
|
| 83 | + } |
|
| 84 | + |
|
| 85 | + throw $exception; |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + /** |
|
| 89 | + * @param Controller $controller |
|
| 90 | + * @param string $methodName |
|
| 91 | + * @param Response $response |
|
| 92 | + * @return \OCP\AppFramework\Http\Response |
|
| 93 | + */ |
|
| 94 | + public function afterController($controller, $methodName, Response $response) { |
|
| 95 | + /* |
|
| 97 | 96 | * If a different middleware has detected that a request unauthorized or forbidden |
| 98 | 97 | * we need to catch the response and convert it to a proper OCS response. |
| 99 | 98 | */ |
| 100 | - if ($controller instanceof OCSController && !($response instanceof BaseResponse)) { |
|
| 101 | - if ($response->getStatus() === Http::STATUS_UNAUTHORIZED || |
|
| 102 | - $response->getStatus() === Http::STATUS_FORBIDDEN) { |
|
| 103 | - |
|
| 104 | - $message = ''; |
|
| 105 | - if ($response instanceof JSONResponse) { |
|
| 106 | - /** @var DataResponse $response */ |
|
| 107 | - $message = $response->getData()['message']; |
|
| 108 | - } |
|
| 109 | - |
|
| 110 | - return $this->buildNewResponse($controller, API::RESPOND_UNAUTHORISED, $message); |
|
| 111 | - } |
|
| 112 | - } |
|
| 113 | - |
|
| 114 | - return $response; |
|
| 115 | - } |
|
| 116 | - |
|
| 117 | - /** |
|
| 118 | - * @param Controller $controller |
|
| 119 | - * @param int $code |
|
| 120 | - * @param string $message |
|
| 121 | - * @return V1Response|V2Response |
|
| 122 | - */ |
|
| 123 | - private function buildNewResponse(Controller $controller, $code, $message) { |
|
| 124 | - $format = $this->getFormat($controller); |
|
| 125 | - |
|
| 126 | - $data = new DataResponse(); |
|
| 127 | - $data->setStatus($code); |
|
| 128 | - if ($this->ocsVersion === 1) { |
|
| 129 | - $response = new V1Response($data, $format, $message); |
|
| 130 | - } else { |
|
| 131 | - $response = new V2Response($data, $format, $message); |
|
| 132 | - } |
|
| 133 | - |
|
| 134 | - return $response; |
|
| 135 | - } |
|
| 136 | - |
|
| 137 | - /** |
|
| 138 | - * @param Controller $controller |
|
| 139 | - * @return string |
|
| 140 | - */ |
|
| 141 | - private function getFormat(Controller $controller) { |
|
| 142 | - // get format from the url format or request format parameter |
|
| 143 | - $format = $this->request->getParam('format'); |
|
| 144 | - |
|
| 145 | - // if none is given try the first Accept header |
|
| 146 | - if($format === null) { |
|
| 147 | - $headers = $this->request->getHeader('Accept'); |
|
| 148 | - $format = $controller->getResponderByHTTPHeader($headers, 'xml'); |
|
| 149 | - } |
|
| 150 | - |
|
| 151 | - return $format; |
|
| 152 | - } |
|
| 99 | + if ($controller instanceof OCSController && !($response instanceof BaseResponse)) { |
|
| 100 | + if ($response->getStatus() === Http::STATUS_UNAUTHORIZED || |
|
| 101 | + $response->getStatus() === Http::STATUS_FORBIDDEN) { |
|
| 102 | + |
|
| 103 | + $message = ''; |
|
| 104 | + if ($response instanceof JSONResponse) { |
|
| 105 | + /** @var DataResponse $response */ |
|
| 106 | + $message = $response->getData()['message']; |
|
| 107 | + } |
|
| 108 | + |
|
| 109 | + return $this->buildNewResponse($controller, API::RESPOND_UNAUTHORISED, $message); |
|
| 110 | + } |
|
| 111 | + } |
|
| 112 | + |
|
| 113 | + return $response; |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + /** |
|
| 117 | + * @param Controller $controller |
|
| 118 | + * @param int $code |
|
| 119 | + * @param string $message |
|
| 120 | + * @return V1Response|V2Response |
|
| 121 | + */ |
|
| 122 | + private function buildNewResponse(Controller $controller, $code, $message) { |
|
| 123 | + $format = $this->getFormat($controller); |
|
| 124 | + |
|
| 125 | + $data = new DataResponse(); |
|
| 126 | + $data->setStatus($code); |
|
| 127 | + if ($this->ocsVersion === 1) { |
|
| 128 | + $response = new V1Response($data, $format, $message); |
|
| 129 | + } else { |
|
| 130 | + $response = new V2Response($data, $format, $message); |
|
| 131 | + } |
|
| 132 | + |
|
| 133 | + return $response; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + /** |
|
| 137 | + * @param Controller $controller |
|
| 138 | + * @return string |
|
| 139 | + */ |
|
| 140 | + private function getFormat(Controller $controller) { |
|
| 141 | + // get format from the url format or request format parameter |
|
| 142 | + $format = $this->request->getParam('format'); |
|
| 143 | + |
|
| 144 | + // if none is given try the first Accept header |
|
| 145 | + if($format === null) { |
|
| 146 | + $headers = $this->request->getHeader('Accept'); |
|
| 147 | + $format = $controller->getResponderByHTTPHeader($headers, 'xml'); |
|
| 148 | + } |
|
| 149 | + |
|
| 150 | + return $format; |
|
| 151 | + } |
|
| 153 | 152 | } |
@@ -41,100 +41,100 @@ |
||
| 41 | 41 | |
| 42 | 42 | class TwoFactorMiddleware extends Middleware { |
| 43 | 43 | |
| 44 | - /** @var Manager */ |
|
| 45 | - private $twoFactorManager; |
|
| 46 | - |
|
| 47 | - /** @var Session */ |
|
| 48 | - private $userSession; |
|
| 49 | - |
|
| 50 | - /** @var ISession */ |
|
| 51 | - private $session; |
|
| 52 | - |
|
| 53 | - /** @var IURLGenerator */ |
|
| 54 | - private $urlGenerator; |
|
| 55 | - |
|
| 56 | - /** @var IControllerMethodReflector */ |
|
| 57 | - private $reflector; |
|
| 58 | - |
|
| 59 | - /** @var IRequest */ |
|
| 60 | - private $request; |
|
| 61 | - |
|
| 62 | - /** |
|
| 63 | - * @param Manager $twoFactorManager |
|
| 64 | - * @param Session $userSession |
|
| 65 | - * @param ISession $session |
|
| 66 | - * @param IURLGenerator $urlGenerator |
|
| 67 | - */ |
|
| 68 | - public function __construct(Manager $twoFactorManager, Session $userSession, ISession $session, |
|
| 69 | - IURLGenerator $urlGenerator, IControllerMethodReflector $reflector, IRequest $request) { |
|
| 70 | - $this->twoFactorManager = $twoFactorManager; |
|
| 71 | - $this->userSession = $userSession; |
|
| 72 | - $this->session = $session; |
|
| 73 | - $this->urlGenerator = $urlGenerator; |
|
| 74 | - $this->reflector = $reflector; |
|
| 75 | - $this->request = $request; |
|
| 76 | - } |
|
| 77 | - |
|
| 78 | - /** |
|
| 79 | - * @param Controller $controller |
|
| 80 | - * @param string $methodName |
|
| 81 | - */ |
|
| 82 | - public function beforeController($controller, $methodName) { |
|
| 83 | - if ($this->reflector->hasAnnotation('PublicPage')) { |
|
| 84 | - // Don't block public pages |
|
| 85 | - return; |
|
| 86 | - } |
|
| 87 | - |
|
| 88 | - if ($controller instanceof LoginController && $methodName === 'logout') { |
|
| 89 | - // Don't block the logout page, to allow canceling the 2FA |
|
| 90 | - return; |
|
| 91 | - } |
|
| 92 | - |
|
| 93 | - if ($this->userSession->isLoggedIn()) { |
|
| 94 | - $user = $this->userSession->getUser(); |
|
| 95 | - |
|
| 96 | - if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { |
|
| 97 | - $this->checkTwoFactor($controller, $methodName, $user); |
|
| 98 | - } else if ($controller instanceof TwoFactorChallengeController) { |
|
| 99 | - // Allow access to the two-factor controllers only if two-factor authentication |
|
| 100 | - // is in progress. |
|
| 101 | - throw new UserAlreadyLoggedInException(); |
|
| 102 | - } |
|
| 103 | - } |
|
| 104 | - // TODO: dont check/enforce 2FA if a auth token is used |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - private function checkTwoFactor(Controller $controller, $methodName, IUser $user) { |
|
| 108 | - // If two-factor auth is in progress disallow access to any controllers |
|
| 109 | - // defined within "LoginController". |
|
| 110 | - $needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user); |
|
| 111 | - $twoFactor = $controller instanceof TwoFactorChallengeController; |
|
| 112 | - |
|
| 113 | - // Disallow access to any controller if 2FA needs to be checked |
|
| 114 | - if ($needsSecondFactor && !$twoFactor) { |
|
| 115 | - throw new TwoFactorAuthRequiredException(); |
|
| 116 | - } |
|
| 117 | - |
|
| 118 | - // Allow access to the two-factor controllers only if two-factor authentication |
|
| 119 | - // is in progress. |
|
| 120 | - if (!$needsSecondFactor && $twoFactor) { |
|
| 121 | - throw new UserAlreadyLoggedInException(); |
|
| 122 | - } |
|
| 123 | - } |
|
| 124 | - |
|
| 125 | - public function afterException($controller, $methodName, Exception $exception) { |
|
| 126 | - if ($exception instanceof TwoFactorAuthRequiredException) { |
|
| 127 | - $params = []; |
|
| 128 | - if (isset($this->request->server['REQUEST_URI'])) { |
|
| 129 | - $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 130 | - } |
|
| 131 | - return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params)); |
|
| 132 | - } |
|
| 133 | - if ($exception instanceof UserAlreadyLoggedInException) { |
|
| 134 | - return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); |
|
| 135 | - } |
|
| 136 | - |
|
| 137 | - throw $exception; |
|
| 138 | - } |
|
| 44 | + /** @var Manager */ |
|
| 45 | + private $twoFactorManager; |
|
| 46 | + |
|
| 47 | + /** @var Session */ |
|
| 48 | + private $userSession; |
|
| 49 | + |
|
| 50 | + /** @var ISession */ |
|
| 51 | + private $session; |
|
| 52 | + |
|
| 53 | + /** @var IURLGenerator */ |
|
| 54 | + private $urlGenerator; |
|
| 55 | + |
|
| 56 | + /** @var IControllerMethodReflector */ |
|
| 57 | + private $reflector; |
|
| 58 | + |
|
| 59 | + /** @var IRequest */ |
|
| 60 | + private $request; |
|
| 61 | + |
|
| 62 | + /** |
|
| 63 | + * @param Manager $twoFactorManager |
|
| 64 | + * @param Session $userSession |
|
| 65 | + * @param ISession $session |
|
| 66 | + * @param IURLGenerator $urlGenerator |
|
| 67 | + */ |
|
| 68 | + public function __construct(Manager $twoFactorManager, Session $userSession, ISession $session, |
|
| 69 | + IURLGenerator $urlGenerator, IControllerMethodReflector $reflector, IRequest $request) { |
|
| 70 | + $this->twoFactorManager = $twoFactorManager; |
|
| 71 | + $this->userSession = $userSession; |
|
| 72 | + $this->session = $session; |
|
| 73 | + $this->urlGenerator = $urlGenerator; |
|
| 74 | + $this->reflector = $reflector; |
|
| 75 | + $this->request = $request; |
|
| 76 | + } |
|
| 77 | + |
|
| 78 | + /** |
|
| 79 | + * @param Controller $controller |
|
| 80 | + * @param string $methodName |
|
| 81 | + */ |
|
| 82 | + public function beforeController($controller, $methodName) { |
|
| 83 | + if ($this->reflector->hasAnnotation('PublicPage')) { |
|
| 84 | + // Don't block public pages |
|
| 85 | + return; |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + if ($controller instanceof LoginController && $methodName === 'logout') { |
|
| 89 | + // Don't block the logout page, to allow canceling the 2FA |
|
| 90 | + return; |
|
| 91 | + } |
|
| 92 | + |
|
| 93 | + if ($this->userSession->isLoggedIn()) { |
|
| 94 | + $user = $this->userSession->getUser(); |
|
| 95 | + |
|
| 96 | + if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { |
|
| 97 | + $this->checkTwoFactor($controller, $methodName, $user); |
|
| 98 | + } else if ($controller instanceof TwoFactorChallengeController) { |
|
| 99 | + // Allow access to the two-factor controllers only if two-factor authentication |
|
| 100 | + // is in progress. |
|
| 101 | + throw new UserAlreadyLoggedInException(); |
|
| 102 | + } |
|
| 103 | + } |
|
| 104 | + // TODO: dont check/enforce 2FA if a auth token is used |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + private function checkTwoFactor(Controller $controller, $methodName, IUser $user) { |
|
| 108 | + // If two-factor auth is in progress disallow access to any controllers |
|
| 109 | + // defined within "LoginController". |
|
| 110 | + $needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user); |
|
| 111 | + $twoFactor = $controller instanceof TwoFactorChallengeController; |
|
| 112 | + |
|
| 113 | + // Disallow access to any controller if 2FA needs to be checked |
|
| 114 | + if ($needsSecondFactor && !$twoFactor) { |
|
| 115 | + throw new TwoFactorAuthRequiredException(); |
|
| 116 | + } |
|
| 117 | + |
|
| 118 | + // Allow access to the two-factor controllers only if two-factor authentication |
|
| 119 | + // is in progress. |
|
| 120 | + if (!$needsSecondFactor && $twoFactor) { |
|
| 121 | + throw new UserAlreadyLoggedInException(); |
|
| 122 | + } |
|
| 123 | + } |
|
| 124 | + |
|
| 125 | + public function afterException($controller, $methodName, Exception $exception) { |
|
| 126 | + if ($exception instanceof TwoFactorAuthRequiredException) { |
|
| 127 | + $params = []; |
|
| 128 | + if (isset($this->request->server['REQUEST_URI'])) { |
|
| 129 | + $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 130 | + } |
|
| 131 | + return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params)); |
|
| 132 | + } |
|
| 133 | + if ($exception instanceof UserAlreadyLoggedInException) { |
|
| 134 | + return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); |
|
| 135 | + } |
|
| 136 | + |
|
| 137 | + throw $exception; |
|
| 138 | + } |
|
| 139 | 139 | |
| 140 | 140 | } |
