lib/private/Authentication/TwoFactorAuth/Manager.php
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
* @author Thomas Müller <thomas.mueller@tmit.eu>
*
* @copyright Copyright (c) 2018, ownCloud GmbH
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\TwoFactorAuth;
use Exception;
use OC;
use OC\App\AppManager;
use OC_App;
use OCP\AppFramework\QueryException;
use OCP\Authentication\TwoFactorAuth\IProvider;
use OCP\IConfig;
use OCP\IRequest;
use OCP\ILogger;
use OCP\ISession;
use OCP\IUser;
use OCP\IGroupManager;
class Manager {
public const SESSION_UID_KEY = 'two_factor_auth_uid';
/** @var AppManager */
private $appManager;
/** @var ISession */
private $session;
/** @var IGroupManager */
private $groupManager;
/** @var IConfig */
private $config;
/** @var IRequest */
private $request;
/** @var ILogger */
private $logger;
/**
* @param AppManager $appManager
* @param ISession $session
* @param IGroupManager $groupManager
* @param IConfig $config
* @param IRequest $request
* @param ILogger $logger
*/
public function __construct(AppManager $appManager, ISession $session, IGroupManager $groupManager, IConfig $config, IRequest $request, ILogger $logger) {
$this->appManager = $appManager;
$this->session = $session;
$this->groupManager = $groupManager;
$this->config = $config;
$this->request = $request;
$this->logger = $logger;
}
/**
* Determine whether the user must provide a second factor challenge
*
* @param IUser $user
* @return boolean
*/
public function isTwoFactorAuthenticated(IUser $user) {
if ($this->isTwoFactorEnforcedForUser($user)) {
return \count($this->getProviders($user)) > 0;
}
$twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0;
return $twoFactorEnabled && \count($this->getProviders($user)) > 0;
}
public function isTwoFactorEnforcedForUser(IUser $user) {
if ($this->config->getAppValue('core', 'enforce_2fa', 'no') !== 'yes') {
return false;
}
$enforce2faExcludedGroups = \json_decode($this->config->getAppValue('core', 'enforce_2fa_excluded_groups', '[]'), true);
if (!empty($enforce2faExcludedGroups)) {
foreach ($enforce2faExcludedGroups as $group) {
if ($this->groupManager->isInGroup($user->getUID(), $group)) {
return false;
}
}
}
return true;
}
/**
* Disable 2FA checks for the given user
*
* @param IUser $user
*/
public function disableTwoFactorAuthentication(IUser $user) {
$this->config->setUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 1);
}
/**
* Enable all 2FA checks for the given user
*
* @param IUser $user
*/
public function enableTwoFactorAuthentication(IUser $user) {
$this->config->deleteUserValue($user->getUID(), 'core', 'two_factor_auth_disabled');
}
/**
* Get a 2FA provider by its ID
*
* @param IUser $user
* @param string $challengeProviderId
* @return IProvider|null
*/
public function getProvider(IUser $user, $challengeProviderId) {
$providers = $this->getProviders($user);
return isset($providers[$challengeProviderId]) ? $providers[$challengeProviderId] : null;
}
/**
* Get the list of 2FA providers for the given user
*
* @param IUser $user
* @return IProvider[]
*/
public function getProviders(IUser $user) {
$allApps = $this->appManager->getEnabledAppsForUser($user);
$providers = [];
foreach ($allApps as $appId) {
$info = $this->appManager->getAppInfo($appId);
if (isset($info['two-factor-providers'])) {
$providerClasses = $info['two-factor-providers'];
foreach ($providerClasses as $class) {
try {
$this->loadTwoFactorApp($appId);
$provider = OC::$server->query($class);
$providers[$provider->getId()] = $provider;
} catch (QueryException $exc) {
// Provider class can not be resolved
throw new Exception("Could not load two-factor auth provider $class");
}
}
}
}
// if 2-factor is enforced, we must not filter out providers that
// might not be enabled or configured. The providers are expected
// to handle this problem on their own, usually by allowing
// configuration (at least partially) in the challenge page.
if ($this->isTwoFactorEnforcedForUser($user)) {
return $providers;
}
return \array_filter($providers, function ($provider) use ($user) {
/* @var $provider IProvider */
return $provider->isTwoFactorAuthEnabledForUser($user);
});
}
/**
* Load an app by ID if it has not been loaded yet
*
* @param string $appId
*/
protected function loadTwoFactorApp($appId) {
if (!OC_App::isAppLoaded($appId)) {
OC_App::loadApp($appId);
}
}
/**
* Verify the given challenge
*
* @param string $providerId
* @param IUser $user
* @param string $challenge
* @return boolean
*/
public function verifyChallenge($providerId, IUser $user, $challenge) {
$provider = $this->getProvider($user, $providerId);
if ($provider === null) {
return false;
}
$result = $provider->verifyChallenge($user, $challenge);
if ($result) {
$this->session->remove(self::SESSION_UID_KEY);
} else {
$this->logger->warning(
"Two factor verify failed: '{$user->getUserName()}' (Remote IP: '{$this->request->getRemoteAddress()}')",
['app' => 'core']
);
}
return $result;
}
/**
* Check if the currently logged in user needs to pass 2FA
*
* @return boolean
*/
public function needsSecondFactor() {
return $this->session->exists(self::SESSION_UID_KEY);
}
/**
* Prepare the 2FA login (set session value)
*
* @param IUser $user
*/
public function prepareTwoFactorLogin(IUser $user) {
$this->session->set(self::SESSION_UID_KEY, $user->getUID());
}
}