nextcloud /
server
@@ -30,82 +30,82 @@ |
||
| 30 | 30 | use OCP\IUser; |
| 31 | 31 | |
| 32 | 32 | class MandatoryTwoFactor { |
| 33 | - /** @var IConfig */ |
|
| 34 | - private $config; |
|
| 33 | + /** @var IConfig */ |
|
| 34 | + private $config; |
|
| 35 | 35 | |
| 36 | - /** @var IGroupManager */ |
|
| 37 | - private $groupManager; |
|
| 36 | + /** @var IGroupManager */ |
|
| 37 | + private $groupManager; |
|
| 38 | 38 | |
| 39 | - public function __construct(IConfig $config, IGroupManager $groupManager) { |
|
| 40 | - $this->config = $config; |
|
| 41 | - $this->groupManager = $groupManager; |
|
| 42 | - } |
|
| 39 | + public function __construct(IConfig $config, IGroupManager $groupManager) { |
|
| 40 | + $this->config = $config; |
|
| 41 | + $this->groupManager = $groupManager; |
|
| 42 | + } |
|
| 43 | 43 | |
| 44 | - /** |
|
| 45 | - * Get the state of enforced two-factor auth |
|
| 46 | - */ |
|
| 47 | - public function getState(): EnforcementState { |
|
| 48 | - return new EnforcementState( |
|
| 49 | - $this->config->getSystemValue('twofactor_enforced', 'false') === 'true', |
|
| 50 | - $this->config->getSystemValue('twofactor_enforced_groups', []), |
|
| 51 | - $this->config->getSystemValue('twofactor_enforced_excluded_groups', []) |
|
| 52 | - ); |
|
| 53 | - } |
|
| 44 | + /** |
|
| 45 | + * Get the state of enforced two-factor auth |
|
| 46 | + */ |
|
| 47 | + public function getState(): EnforcementState { |
|
| 48 | + return new EnforcementState( |
|
| 49 | + $this->config->getSystemValue('twofactor_enforced', 'false') === 'true', |
|
| 50 | + $this->config->getSystemValue('twofactor_enforced_groups', []), |
|
| 51 | + $this->config->getSystemValue('twofactor_enforced_excluded_groups', []) |
|
| 52 | + ); |
|
| 53 | + } |
|
| 54 | 54 | |
| 55 | - /** |
|
| 56 | - * Set the state of enforced two-factor auth |
|
| 57 | - */ |
|
| 58 | - public function setState(EnforcementState $state) { |
|
| 59 | - $this->config->setSystemValue('twofactor_enforced', $state->isEnforced() ? 'true' : 'false'); |
|
| 60 | - $this->config->setSystemValue('twofactor_enforced_groups', $state->getEnforcedGroups()); |
|
| 61 | - $this->config->setSystemValue('twofactor_enforced_excluded_groups', $state->getExcludedGroups()); |
|
| 62 | - } |
|
| 55 | + /** |
|
| 56 | + * Set the state of enforced two-factor auth |
|
| 57 | + */ |
|
| 58 | + public function setState(EnforcementState $state) { |
|
| 59 | + $this->config->setSystemValue('twofactor_enforced', $state->isEnforced() ? 'true' : 'false'); |
|
| 60 | + $this->config->setSystemValue('twofactor_enforced_groups', $state->getEnforcedGroups()); |
|
| 61 | + $this->config->setSystemValue('twofactor_enforced_excluded_groups', $state->getExcludedGroups()); |
|
| 62 | + } |
|
| 63 | 63 | |
| 64 | - /** |
|
| 65 | - * Check if two-factor auth is enforced for a specific user |
|
| 66 | - * |
|
| 67 | - * The admin(s) can enforce two-factor auth system-wide, for certain groups only |
|
| 68 | - * and also have the option to exclude users of certain groups. This method will |
|
| 69 | - * check their membership of those groups. |
|
| 70 | - * |
|
| 71 | - * @param IUser $user |
|
| 72 | - * |
|
| 73 | - * @return bool |
|
| 74 | - */ |
|
| 75 | - public function isEnforcedFor(IUser $user): bool { |
|
| 76 | - $state = $this->getState(); |
|
| 77 | - if (!$state->isEnforced()) { |
|
| 78 | - return false; |
|
| 79 | - } |
|
| 80 | - $uid = $user->getUID(); |
|
| 64 | + /** |
|
| 65 | + * Check if two-factor auth is enforced for a specific user |
|
| 66 | + * |
|
| 67 | + * The admin(s) can enforce two-factor auth system-wide, for certain groups only |
|
| 68 | + * and also have the option to exclude users of certain groups. This method will |
|
| 69 | + * check their membership of those groups. |
|
| 70 | + * |
|
| 71 | + * @param IUser $user |
|
| 72 | + * |
|
| 73 | + * @return bool |
|
| 74 | + */ |
|
| 75 | + public function isEnforcedFor(IUser $user): bool { |
|
| 76 | + $state = $this->getState(); |
|
| 77 | + if (!$state->isEnforced()) { |
|
| 78 | + return false; |
|
| 79 | + } |
|
| 80 | + $uid = $user->getUID(); |
|
| 81 | 81 | |
| 82 | - /* |
|
| 82 | + /* |
|
| 83 | 83 | * If there is a list of enforced groups, we only enforce 2FA for members of those groups. |
| 84 | 84 | * For all the other users it is not enforced (overruling the excluded groups list). |
| 85 | 85 | */ |
| 86 | - if (!empty($state->getEnforcedGroups())) { |
|
| 87 | - foreach ($state->getEnforcedGroups() as $group) { |
|
| 88 | - if ($this->groupManager->isInGroup($uid, $group)) { |
|
| 89 | - return true; |
|
| 90 | - } |
|
| 91 | - } |
|
| 92 | - // Not a member of any of these groups -> no 2FA enforced |
|
| 93 | - return false; |
|
| 94 | - } |
|
| 86 | + if (!empty($state->getEnforcedGroups())) { |
|
| 87 | + foreach ($state->getEnforcedGroups() as $group) { |
|
| 88 | + if ($this->groupManager->isInGroup($uid, $group)) { |
|
| 89 | + return true; |
|
| 90 | + } |
|
| 91 | + } |
|
| 92 | + // Not a member of any of these groups -> no 2FA enforced |
|
| 93 | + return false; |
|
| 94 | + } |
|
| 95 | 95 | |
| 96 | - /** |
|
| 97 | - * If the user is member of an excluded group, 2FA won't be enforced. |
|
| 98 | - */ |
|
| 99 | - foreach ($state->getExcludedGroups() as $group) { |
|
| 100 | - if ($this->groupManager->isInGroup($uid, $group)) { |
|
| 101 | - return false; |
|
| 102 | - } |
|
| 103 | - } |
|
| 96 | + /** |
|
| 97 | + * If the user is member of an excluded group, 2FA won't be enforced. |
|
| 98 | + */ |
|
| 99 | + foreach ($state->getExcludedGroups() as $group) { |
|
| 100 | + if ($this->groupManager->isInGroup($uid, $group)) { |
|
| 101 | + return false; |
|
| 102 | + } |
|
| 103 | + } |
|
| 104 | 104 | |
| 105 | - /** |
|
| 106 | - * No enforced groups configured and user not member of an excluded groups, |
|
| 107 | - * so 2FA is enforced. |
|
| 108 | - */ |
|
| 109 | - return true; |
|
| 110 | - } |
|
| 105 | + /** |
|
| 106 | + * No enforced groups configured and user not member of an excluded groups, |
|
| 107 | + * so 2FA is enforced. |
|
| 108 | + */ |
|
| 109 | + return true; |
|
| 110 | + } |
|
| 111 | 111 | } |
@@ -33,49 +33,49 @@ |
||
| 33 | 33 | * Contains all two-factor provider information for the two-factor login challenge |
| 34 | 34 | */ |
| 35 | 35 | class ProviderSet { |
| 36 | - /** @var IProvider */ |
|
| 37 | - private $providers; |
|
| 36 | + /** @var IProvider */ |
|
| 37 | + private $providers; |
|
| 38 | 38 | |
| 39 | - /** @var bool */ |
|
| 40 | - private $providerMissing; |
|
| 39 | + /** @var bool */ |
|
| 40 | + private $providerMissing; |
|
| 41 | 41 | |
| 42 | - /** |
|
| 43 | - * @param IProvider[] $providers |
|
| 44 | - * @param bool $providerMissing |
|
| 45 | - */ |
|
| 46 | - public function __construct(array $providers, bool $providerMissing) { |
|
| 47 | - $this->providers = []; |
|
| 48 | - foreach ($providers as $provider) { |
|
| 49 | - $this->providers[$provider->getId()] = $provider; |
|
| 50 | - } |
|
| 51 | - $this->providerMissing = $providerMissing; |
|
| 52 | - } |
|
| 42 | + /** |
|
| 43 | + * @param IProvider[] $providers |
|
| 44 | + * @param bool $providerMissing |
|
| 45 | + */ |
|
| 46 | + public function __construct(array $providers, bool $providerMissing) { |
|
| 47 | + $this->providers = []; |
|
| 48 | + foreach ($providers as $provider) { |
|
| 49 | + $this->providers[$provider->getId()] = $provider; |
|
| 50 | + } |
|
| 51 | + $this->providerMissing = $providerMissing; |
|
| 52 | + } |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * @param string $providerId |
|
| 56 | - * @return IProvider|null |
|
| 57 | - */ |
|
| 58 | - public function getProvider(string $providerId) { |
|
| 59 | - return $this->providers[$providerId] ?? null; |
|
| 60 | - } |
|
| 54 | + /** |
|
| 55 | + * @param string $providerId |
|
| 56 | + * @return IProvider|null |
|
| 57 | + */ |
|
| 58 | + public function getProvider(string $providerId) { |
|
| 59 | + return $this->providers[$providerId] ?? null; |
|
| 60 | + } |
|
| 61 | 61 | |
| 62 | - /** |
|
| 63 | - * @return IProvider[] |
|
| 64 | - */ |
|
| 65 | - public function getProviders(): array { |
|
| 66 | - return $this->providers; |
|
| 67 | - } |
|
| 62 | + /** |
|
| 63 | + * @return IProvider[] |
|
| 64 | + */ |
|
| 65 | + public function getProviders(): array { |
|
| 66 | + return $this->providers; |
|
| 67 | + } |
|
| 68 | 68 | |
| 69 | - /** |
|
| 70 | - * @return IProvider[] |
|
| 71 | - */ |
|
| 72 | - public function getPrimaryProviders(): array { |
|
| 73 | - return array_filter($this->providers, function (IProvider $provider) { |
|
| 74 | - return !($provider instanceof BackupCodesProvider); |
|
| 75 | - }); |
|
| 76 | - } |
|
| 69 | + /** |
|
| 70 | + * @return IProvider[] |
|
| 71 | + */ |
|
| 72 | + public function getPrimaryProviders(): array { |
|
| 73 | + return array_filter($this->providers, function (IProvider $provider) { |
|
| 74 | + return !($provider instanceof BackupCodesProvider); |
|
| 75 | + }); |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - public function isProviderMissing(): bool { |
|
| 79 | - return $this->providerMissing; |
|
| 80 | - } |
|
| 78 | + public function isProviderMissing(): bool { |
|
| 79 | + return $this->providerMissing; |
|
| 80 | + } |
|
| 81 | 81 | } |
@@ -29,15 +29,15 @@ |
||
| 29 | 29 | use OCP\EventDispatcher\Event; |
| 30 | 30 | |
| 31 | 31 | abstract class ARemoteWipeEvent extends Event { |
| 32 | - /** @var IToken */ |
|
| 33 | - private $token; |
|
| 32 | + /** @var IToken */ |
|
| 33 | + private $token; |
|
| 34 | 34 | |
| 35 | - public function __construct(IToken $token) { |
|
| 36 | - parent::__construct(); |
|
| 37 | - $this->token = $token; |
|
| 38 | - } |
|
| 35 | + public function __construct(IToken $token) { |
|
| 36 | + parent::__construct(); |
|
| 37 | + $this->token = $token; |
|
| 38 | + } |
|
| 39 | 39 | |
| 40 | - public function getToken(): IToken { |
|
| 41 | - return $this->token; |
|
| 42 | - } |
|
| 40 | + public function getToken(): IToken { |
|
| 41 | + return $this->token; |
|
| 42 | + } |
|
| 43 | 43 | } |
@@ -35,28 +35,28 @@ |
||
| 35 | 35 | * @template-implements IEventListener<\OCP\User\Events\PostLoginEvent> |
| 36 | 36 | */ |
| 37 | 37 | class UserLoggedInListener implements IEventListener { |
| 38 | - /** @var Manager */ |
|
| 39 | - private $manager; |
|
| 40 | - |
|
| 41 | - public function __construct(Manager $manager) { |
|
| 42 | - $this->manager = $manager; |
|
| 43 | - } |
|
| 44 | - |
|
| 45 | - public function handle(Event $event): void { |
|
| 46 | - if (!($event instanceof PostLoginEvent)) { |
|
| 47 | - return; |
|
| 48 | - } |
|
| 49 | - |
|
| 50 | - // prevent setting an empty pw as result of pw-less-login |
|
| 51 | - if ($event->getPassword() === '') { |
|
| 52 | - return; |
|
| 53 | - } |
|
| 54 | - |
|
| 55 | - // If this is already a token login there is nothing to do |
|
| 56 | - if ($event->isTokenLogin()) { |
|
| 57 | - return; |
|
| 58 | - } |
|
| 59 | - |
|
| 60 | - $this->manager->updatePasswords($event->getUser()->getUID(), $event->getPassword()); |
|
| 61 | - } |
|
| 38 | + /** @var Manager */ |
|
| 39 | + private $manager; |
|
| 40 | + |
|
| 41 | + public function __construct(Manager $manager) { |
|
| 42 | + $this->manager = $manager; |
|
| 43 | + } |
|
| 44 | + |
|
| 45 | + public function handle(Event $event): void { |
|
| 46 | + if (!($event instanceof PostLoginEvent)) { |
|
| 47 | + return; |
|
| 48 | + } |
|
| 49 | + |
|
| 50 | + // prevent setting an empty pw as result of pw-less-login |
|
| 51 | + if ($event->getPassword() === '') { |
|
| 52 | + return; |
|
| 53 | + } |
|
| 54 | + |
|
| 55 | + // If this is already a token login there is nothing to do |
|
| 56 | + if ($event->isTokenLogin()) { |
|
| 57 | + return; |
|
| 58 | + } |
|
| 59 | + |
|
| 60 | + $this->manager->updatePasswords($event->getUser()->getUID(), $event->getPassword()); |
|
| 61 | + } |
|
| 62 | 62 | } |
@@ -34,18 +34,18 @@ |
||
| 34 | 34 | * @template-implements IEventListener<\OCP\User\Events\UserDeletedEvent> |
| 35 | 35 | */ |
| 36 | 36 | class UserDeletedStoreCleanupListener implements IEventListener { |
| 37 | - /** @var Registry */ |
|
| 38 | - private $registry; |
|
| 37 | + /** @var Registry */ |
|
| 38 | + private $registry; |
|
| 39 | 39 | |
| 40 | - public function __construct(Registry $registry) { |
|
| 41 | - $this->registry = $registry; |
|
| 42 | - } |
|
| 40 | + public function __construct(Registry $registry) { |
|
| 41 | + $this->registry = $registry; |
|
| 42 | + } |
|
| 43 | 43 | |
| 44 | - public function handle(Event $event): void { |
|
| 45 | - if (!($event instanceof UserDeletedEvent)) { |
|
| 46 | - return; |
|
| 47 | - } |
|
| 44 | + public function handle(Event $event): void { |
|
| 45 | + if (!($event instanceof UserDeletedEvent)) { |
|
| 46 | + return; |
|
| 47 | + } |
|
| 48 | 48 | |
| 49 | - $this->registry->deleteUserData($event->getUser()); |
|
| 50 | - } |
|
| 49 | + $this->registry->deleteUserData($event->getUser()); |
|
| 50 | + } |
|
| 51 | 51 | } |
@@ -28,20 +28,20 @@ |
||
| 28 | 28 | use OCP\IUserManager; |
| 29 | 29 | |
| 30 | 30 | class WebAuthnLoginCommand extends ALoginCommand { |
| 31 | - /** @var IUserManager */ |
|
| 32 | - private $userManager; |
|
| 31 | + /** @var IUserManager */ |
|
| 32 | + private $userManager; |
|
| 33 | 33 | |
| 34 | - public function __construct(IUserManager $userManager) { |
|
| 35 | - $this->userManager = $userManager; |
|
| 36 | - } |
|
| 34 | + public function __construct(IUserManager $userManager) { |
|
| 35 | + $this->userManager = $userManager; |
|
| 36 | + } |
|
| 37 | 37 | |
| 38 | - public function process(LoginData $loginData): LoginResult { |
|
| 39 | - $user = $this->userManager->get($loginData->getUsername()); |
|
| 40 | - $loginData->setUser($user); |
|
| 41 | - if ($user === null) { |
|
| 42 | - $loginData->setUser(false); |
|
| 43 | - } |
|
| 38 | + public function process(LoginData $loginData): LoginResult { |
|
| 39 | + $user = $this->userManager->get($loginData->getUsername()); |
|
| 40 | + $loginData->setUser($user); |
|
| 41 | + if ($user === null) { |
|
| 42 | + $loginData->setUser(false); |
|
| 43 | + } |
|
| 44 | 44 | |
| 45 | - return $this->processNextOrFinishSuccessfully($loginData); |
|
| 46 | - } |
|
| 45 | + return $this->processNextOrFinishSuccessfully($loginData); |
|
| 46 | + } |
|
| 47 | 47 | } |
@@ -28,23 +28,23 @@ |
||
| 28 | 28 | use OCP\IConfig; |
| 29 | 29 | |
| 30 | 30 | class ClearLostPasswordTokensCommand extends ALoginCommand { |
| 31 | - /** @var IConfig */ |
|
| 32 | - private $config; |
|
| 31 | + /** @var IConfig */ |
|
| 32 | + private $config; |
|
| 33 | 33 | |
| 34 | - public function __construct(IConfig $config) { |
|
| 35 | - $this->config = $config; |
|
| 36 | - } |
|
| 34 | + public function __construct(IConfig $config) { |
|
| 35 | + $this->config = $config; |
|
| 36 | + } |
|
| 37 | 37 | |
| 38 | - /** |
|
| 39 | - * User has successfully logged in, now remove the password reset link, when it is available |
|
| 40 | - */ |
|
| 41 | - public function process(LoginData $loginData): LoginResult { |
|
| 42 | - $this->config->deleteUserValue( |
|
| 43 | - $loginData->getUser()->getUID(), |
|
| 44 | - 'core', |
|
| 45 | - 'lostpassword' |
|
| 46 | - ); |
|
| 38 | + /** |
|
| 39 | + * User has successfully logged in, now remove the password reset link, when it is available |
|
| 40 | + */ |
|
| 41 | + public function process(LoginData $loginData): LoginResult { |
|
| 42 | + $this->config->deleteUserValue( |
|
| 43 | + $loginData->getUser()->getUID(), |
|
| 44 | + 'core', |
|
| 45 | + 'lostpassword' |
|
| 46 | + ); |
|
| 47 | 47 | |
| 48 | - return $this->processNextOrFinishSuccessfully($loginData); |
|
| 49 | - } |
|
| 48 | + return $this->processNextOrFinishSuccessfully($loginData); |
|
| 49 | + } |
|
| 50 | 50 | } |
@@ -28,22 +28,22 @@ |
||
| 28 | 28 | use OC\User\Session; |
| 29 | 29 | |
| 30 | 30 | class CompleteLoginCommand extends ALoginCommand { |
| 31 | - /** @var Session */ |
|
| 32 | - private $userSession; |
|
| 31 | + /** @var Session */ |
|
| 32 | + private $userSession; |
|
| 33 | 33 | |
| 34 | - public function __construct(Session $userSession) { |
|
| 35 | - $this->userSession = $userSession; |
|
| 36 | - } |
|
| 34 | + public function __construct(Session $userSession) { |
|
| 35 | + $this->userSession = $userSession; |
|
| 36 | + } |
|
| 37 | 37 | |
| 38 | - public function process(LoginData $loginData): LoginResult { |
|
| 39 | - $this->userSession->completeLogin( |
|
| 40 | - $loginData->getUser(), |
|
| 41 | - [ |
|
| 42 | - 'loginName' => $loginData->getUsername(), |
|
| 43 | - 'password' => $loginData->getPassword(), |
|
| 44 | - ] |
|
| 45 | - ); |
|
| 38 | + public function process(LoginData $loginData): LoginResult { |
|
| 39 | + $this->userSession->completeLogin( |
|
| 40 | + $loginData->getUser(), |
|
| 41 | + [ |
|
| 42 | + 'loginName' => $loginData->getUsername(), |
|
| 43 | + 'password' => $loginData->getPassword(), |
|
| 44 | + ] |
|
| 45 | + ); |
|
| 46 | 46 | |
| 47 | - return $this->processNextOrFinishSuccessfully($loginData); |
|
| 48 | - } |
|
| 47 | + return $this->processNextOrFinishSuccessfully($loginData); |
|
| 48 | + } |
|
| 49 | 49 | } |
@@ -29,27 +29,27 @@ |
||
| 29 | 29 | use OCP\IUser; |
| 30 | 30 | |
| 31 | 31 | class UidLoginCommand extends ALoginCommand { |
| 32 | - /** @var Manager */ |
|
| 33 | - private $userManager; |
|
| 34 | - |
|
| 35 | - public function __construct(Manager $userManager) { |
|
| 36 | - $this->userManager = $userManager; |
|
| 37 | - } |
|
| 38 | - |
|
| 39 | - /** |
|
| 40 | - * @param LoginData $loginData |
|
| 41 | - * |
|
| 42 | - * @return LoginResult |
|
| 43 | - */ |
|
| 44 | - public function process(LoginData $loginData): LoginResult { |
|
| 45 | - /* @var $loginResult IUser */ |
|
| 46 | - $user = $this->userManager->checkPasswordNoLogging( |
|
| 47 | - $loginData->getUsername(), |
|
| 48 | - $loginData->getPassword() |
|
| 49 | - ); |
|
| 50 | - |
|
| 51 | - $loginData->setUser($user); |
|
| 52 | - |
|
| 53 | - return $this->processNextOrFinishSuccessfully($loginData); |
|
| 54 | - } |
|
| 32 | + /** @var Manager */ |
|
| 33 | + private $userManager; |
|
| 34 | + |
|
| 35 | + public function __construct(Manager $userManager) { |
|
| 36 | + $this->userManager = $userManager; |
|
| 37 | + } |
|
| 38 | + |
|
| 39 | + /** |
|
| 40 | + * @param LoginData $loginData |
|
| 41 | + * |
|
| 42 | + * @return LoginResult |
|
| 43 | + */ |
|
| 44 | + public function process(LoginData $loginData): LoginResult { |
|
| 45 | + /* @var $loginResult IUser */ |
|
| 46 | + $user = $this->userManager->checkPasswordNoLogging( |
|
| 47 | + $loginData->getUsername(), |
|
| 48 | + $loginData->getPassword() |
|
| 49 | + ); |
|
| 50 | + |
|
| 51 | + $loginData->setUser($user); |
|
| 52 | + |
|
| 53 | + return $this->processNextOrFinishSuccessfully($loginData); |
|
| 54 | + } |
|
| 55 | 55 | } |
