disable password confirmation with SSO

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
nextcloud · Dec 13, 2017 · eaa8d08 · eaa8d08
1 parent 175e1a5
commit eaa8d08
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 5 deletions.
diff --git a/core/js/js.js b/core/js/js.js
@@ -1647,7 +1647,8 @@ OC.PasswordConfirmation = {
 
 	requiresPasswordConfirmation: function() {
 		var timeSinceLogin = moment.now() - (nc_lastLogin * 1000);
-		return timeSinceLogin > 30 * 60 * 1000; // 30 minutes
+		// if timeSinceLogin > 30 minutes and user backend allows password confirmation
+		return (backendAllowsPasswordConfirmation && timeSinceLogin > 30 * 60 * 1000);
 	},
 
 	/**

diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -234,7 +234,8 @@ public function __construct($appName, $urlParams = array(), ServerContainer $ser
 				$server->getContentSecurityPolicyManager(),
 				$server->getCsrfTokenManager(),
 				$server->getContentSecurityPolicyNonceManager(),
-				$server->getAppManager()
+				$server->getAppManager(),
+				$server->getUserSession()
 			);
 
 		});

diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -55,6 +55,7 @@
 use OCP\IRequest;
 use OCP\ILogger;
 use OCP\AppFramework\Controller;
+use OCP\IUserSession;
 use OCP\Util;
 use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
 
@@ -91,6 +92,8 @@ class SecurityMiddleware extends Middleware {
 	private $cspNonceManager;
 	/** @var IAppManager */
 	private $appManager;
+	/** @var IUserSession */
+	private $userSession;
 
 	/**
 	 * @param IRequest $request
@@ -106,6 +109,7 @@ class SecurityMiddleware extends Middleware {
 	 * @param CSRFTokenManager $csrfTokenManager
 	 * @param ContentSecurityPolicyNonceManager $cspNonceManager
 	 * @param IAppManager $appManager
+	 * @param IUserSession $userSession
 	 */
 	public function __construct(IRequest $request,
 								ControllerMethodReflector $reflector,
@@ -119,7 +123,9 @@ public function __construct(IRequest $request,
 								ContentSecurityPolicyManager $contentSecurityPolicyManager,
 								CsrfTokenManager $csrfTokenManager,
 								ContentSecurityPolicyNonceManager $cspNonceManager,
-								IAppManager $appManager) {
+								IAppManager $appManager,
+								IUserSession $userSession
+	) {
 		$this->navigationManager = $navigationManager;
 		$this->request = $request;
 		$this->reflector = $reflector;
@@ -133,6 +139,7 @@ public function __construct(IRequest $request,
 		$this->csrfTokenManager = $csrfTokenManager;
 		$this->cspNonceManager = $cspNonceManager;
 		$this->appManager = $appManager;
+		$this->userSession = $userSession;
 	}
 
 	/**
@@ -164,8 +171,15 @@ public function beforeController($controller, $methodName) {
 		}
 
 		if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
+			$user = $this->userSession->getUser();
+			$backendClassName = '';
+			if ($user !== null) {
+				$backendClassName = $user->getBackendClassName();
+			}
+
 			$lastConfirm = (int) $this->session->get('last-password-confirm');
-			if ($lastConfirm < (time() - (30 * 60 + 15))) { // allow 15 seconds delay
+			// we can't check the password against a SAML backend, so skip password confirmation in this case
+			if ($backendClassName !== 'user_saml' && $lastConfirm < (time() - (30 * 60 + 15))) { // allow 15 seconds delay
 				throw new NotConfirmedException();
 			}
 		}

diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php
@@ -101,8 +101,10 @@ public function getConfig() {
 
 		if ($this->currentUser !== null) {
 			$uid = $this->currentUser->getUID();
+			$userBackend = $this->currentUser->getBackendClassName();
 		} else {
 			$uid = null;
+			$userBackend = '';
 		}
 
 		// Get the config
@@ -147,6 +149,7 @@ public function getConfig() {
 		$array = [
 			"oc_debug" => $this->config->getSystemValue('debug', false) ? 'true' : 'false',
 			"oc_isadmin" => $this->groupManager->isAdmin($uid) ? 'true' : 'false',
+			"backendAllowsPasswordConfirmation" => $userBackend === 'user_saml'? 'false' : 'true',
 			"oc_dataURL" => is_string($dataLocation) ? "\"".$dataLocation."\"" : 'false',
 			"oc_webroot" => "\"".\OC::$WEBROOT."\"",
 			"oc_appswebroots" =>  str_replace('\\/', '/', json_encode($apps_paths)), // Ugly unescape slashes waiting for better solution

diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@@ -50,6 +50,8 @@
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IURLGenerator;
+use OCP\IUser;
+use OCP\IUserSession;
 use OCP\Security\ISecureRandom;
 
 class SecurityMiddlewareTest extends \Test\TestCase {
@@ -82,6 +84,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	private $cspNonceManager;
 	/** @var IAppManager|\PHPUnit_Framework_MockObject_MockObject */
 	private $appManager;
+	/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
+	private $userSession;
 
 	protected function setUp() {
 		parent::setUp();
@@ -100,6 +104,10 @@ protected function setUp() {
 		$this->appManager->expects($this->any())
 			->method('isEnabledForUser')
 			->willReturn(true);
+		$this->userSession = $this->createMock(IUserSession::class);
+		$user = $this->createMock(IUser::class);
+		$user->expects($this->any())->method('getBackendClassName')->willReturn('user_ldap');
+		$this->userSession->expects($this->any())->method('getUser')->willReturn($user);
 		$this->middleware = $this->getMiddleware(true, true);
 		$this->secException = new SecurityException('hey', false);
 		$this->secAjaxException = new SecurityException('hey', true);
@@ -124,7 +132,8 @@ private function getMiddleware($isLoggedIn, $isAdminUser) {
 			$this->contentSecurityPolicyManager,
 			$this->csrfTokenManager,
 			$this->cspNonceManager,
-			$this->appManager
+			$this->appManager,
+			$this->userSession
 		);
 	}