nextcloud/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

<?php
/**
 * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OC\AppFramework\Middleware\Security;

use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Authentication\Token\IProvider;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\Exceptions\ExpiredTokenException;
use OCP\Authentication\Exceptions\InvalidTokenException;
use OCP\Authentication\Exceptions\WipeTokenException;
use OCP\Authentication\Token\IToken;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\User\Backend\IPasswordConfirmationBackend;
use Psr\Log\LoggerInterface;
use ReflectionMethod;

class PasswordConfirmationMiddleware extends Middleware {
	/** @var ControllerMethodReflector */
	private $reflector;
	/** @var ISession */
	private $session;
	/** @var IUserSession */
	private $userSession;
	/** @var ITimeFactory */
	private $timeFactory;
	/** @var array */
	private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
	private IProvider $tokenProvider;

	/**
	 * PasswordConfirmationMiddleware constructor.
	 *
	 * @param ControllerMethodReflector $reflector
	 * @param ISession $session
	 * @param IUserSession $userSession
	 * @param ITimeFactory $timeFactory
	 */
	public function __construct(ControllerMethodReflector $reflector,
		ISession $session,
		IUserSession $userSession,
		ITimeFactory $timeFactory,
		IProvider $tokenProvider,
		private readonly LoggerInterface $logger,
	) {
		$this->reflector = $reflector;
		$this->session = $session;
		$this->userSession = $userSession;
		$this->timeFactory = $timeFactory;
		$this->tokenProvider = $tokenProvider;
	}

	/**
	 * @param Controller $controller
	 * @param string $methodName
	 * @throws NotConfirmedException
	 */
	public function beforeController($controller, $methodName) {
		$reflectionMethod = new ReflectionMethod($controller, $methodName);

		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) {
			$user = $this->userSession->getUser();
			$backendClassName = '';
			if ($user !== null) {
				$backend = $user->getBackend();
				if ($backend instanceof IPasswordConfirmationBackend) {
					if (!$backend->canConfirmPassword($user->getUID())) {
						return;
					}
				}

				$backendClassName = $user->getBackendClassName();
			}

			try {
				$sessionId = $this->session->getId();
				$token = $this->tokenProvider->getToken($sessionId);
			} catch (SessionNotAvailableException|InvalidTokenException|WipeTokenException|ExpiredTokenException) {
				// States we do not deal with here.
				return;
			}
			$scope = $token->getScopeAsArray();
			if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
				// Users logging in from SSO backends cannot confirm their password by design
				return;
			}

			$lastConfirm = (int)$this->session->get('last-password-confirm');
			// TODO: confirm excludedUserBackEnds can go away and remove it
			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
				throw new NotConfirmedException();
			}
		}
	}

	/**
	 * @template T
	 *
	 * @param ReflectionMethod $reflectionMethod
	 * @param string $annotationName
	 * @param class-string<T> $attributeClass
	 * @return boolean
	 */
	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
			return true;
		}

		if ($this->reflector->hasAnnotation($annotationName)) {
			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
			return true;
		}

		return false;
	}
}
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`<?php`
			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-23 03:26:56 -04:00			`* SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`*/`
			`namespace OC\AppFramework\Middleware\Security;`

			`use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;`
			`use OC\AppFramework\Utility\ControllerMethodReflector;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OC\Authentication\Token\IProvider;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Controller;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Middleware;`
			`use OCP\AppFramework\Utility\ITimeFactory;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Authentication\Exceptions\ExpiredTokenException;`
			`use OCP\Authentication\Exceptions\InvalidTokenException;`
			`use OCP\Authentication\Exceptions\WipeTokenException;`
refactor(Token): introduce scope constants Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-15 07:51:31 -04:00			`use OCP\Authentication\Token\IToken;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\ISession;`
			`use OCP\IUserSession;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Session\Exceptions\SessionNotAvailableException;`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00			`use OCP\User\Backend\IPasswordConfirmationBackend;`
feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-15 09:25:45 -04:00			`use Psr\Log\LoggerInterface;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use ReflectionMethod;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
			`class PasswordConfirmationMiddleware extends Middleware {`
			`/** @var ControllerMethodReflector */`
			`private $reflector;`
			`/** @var ISession */`
			`private $session;`
			`/** @var IUserSession */`
			`private $userSession;`
			`/** @var ITimeFactory */`
			`private $timeFactory;`
add global site selector as user back-end which doesn't support password confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org> 2018-10-27 09:43:51 -04:00			`/** @var array */`
			`private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`private IProvider $tokenProvider;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
			`/**`
			`* PasswordConfirmationMiddleware constructor.`
			`*`
			`* @param ControllerMethodReflector $reflector`
			`* @param ISession $session`
			`* @param IUserSession $userSession`
			`* @param ITimeFactory $timeFactory`
			`*/`
			`public function __construct(ControllerMethodReflector $reflector,`
			`ISession $session,`
			`IUserSession $userSession,`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`ITimeFactory $timeFactory,`
			`IProvider $tokenProvider,`
feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-15 09:25:45 -04:00			`private readonly LoggerInterface $logger,`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`) {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$this->reflector = $reflector;`
			`$this->session = $session;`
			`$this->userSession = $userSession;`
			`$this->timeFactory = $timeFactory;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`$this->tokenProvider = $tokenProvider;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`

			`/**`
			`* @param Controller $controller`
			`* @param string $methodName`
			`* @throws NotConfirmedException`
			`*/`
			`public function beforeController($controller, $methodName) {`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`

			`if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$user = $this->userSession->getUser();`
			`$backendClassName = '';`
			`if ($user !== null) {`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00			`$backend = $user->getBackend();`
			`if ($backend instanceof IPasswordConfirmationBackend) {`
			`if (!$backend->canConfirmPassword($user->getUID())) {`
			`return;`
			`}`
			`}`

Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$backendClassName = $user->getBackendClassName();`
			`}`

fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`try {`
			`$sessionId = $this->session->getId();`
			`$token = $this->tokenProvider->getToken($sessionId);`
			`} catch (SessionNotAvailableException\|InvalidTokenException\|WipeTokenException\|ExpiredTokenException) {`
			`// States we do not deal with here.`
			`return;`
			`}`
			`$scope = $token->getScopeAsArray();`
refactor(Token): introduce scope constants Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-15 07:51:31 -04:00			`if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`// Users logging in from SSO backends cannot confirm their password by design`
			`return;`
			`}`

Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$lastConfirm = (int)$this->session->get('last-password-confirm');`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`// TODO: confirm excludedUserBackEnds can go away and remove it`
add global site selector as user back-end which doesn't support password confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org> 2018-10-27 09:43:51 -04:00			`if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`throw new NotConfirmedException();`
			`}`
			`}`
			`}`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00
			`/**`
			`* @template T`
			`*`
			`* @param ReflectionMethod $reflectionMethod`
			`* @param string $annotationName`
			`* @param class-string<T> $attributeClass`
			`* @return boolean`
			`*/`
			`protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {`
			`if (!empty($reflectionMethod->getAttributes($attributeClass))) {`
			`return true;`
			`}`

			`if ($this->reflector->hasAnnotation($annotationName)) {`
feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-15 09:25:45 -04:00			`$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`return true;`
			`}`

			`return false;`
			`}`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`