Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/dav/lib/Connector/LegacyPublicAuth.php
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ protected function validateUserPass($username, $password) {
\OC_User::setIncognitoMode(true);

// check if the share is password protected
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
if ($share->getShareType() === IShare::TYPE_LINK
|| $share->getShareType() === IShare::TYPE_EMAIL
|| $share->getShareType() === IShare::TYPE_CIRCLE) {
Expand Down
6 changes: 3 additions & 3 deletions apps/dav/lib/Connector/Sabre/PublicAuth.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public function check(RequestInterface $request, ResponseInterface $response): a
try {
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);

if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->getPassword() !== null) {
if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->isPasswordProtected()) {
throw new PreconditionFailed('Strict cookie check failed');
}

Expand Down Expand Up @@ -142,7 +142,7 @@ private function checkToken(): array {
}

// If the share is protected but user is not authenticated
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
throw new NotAuthenticated();
}
Expand Down Expand Up @@ -176,7 +176,7 @@ protected function validateUserPass($username, $password) {
\OC_User::setIncognitoMode(true);

// check if the share is password protected
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
if ($share->getShareType() === IShare::TYPE_LINK
|| $share->getShareType() === IShare::TYPE_EMAIL
|| $share->getShareType() === IShare::TYPE_CIRCLE) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,7 @@ public function createFederatedShare($shareWith, $token, $password = '') {
$authenticated = in_array($share->getId(), $allowedShareIds)
|| $this->shareManager->checkPassword($share, $password);

$storedPassword = $share->getPassword();
if (!empty($storedPassword) && !$authenticated) {
if ($share->isPasswordProtected() && !$authenticated) {
$response = new JSONResponse(
['message' => 'No permission to access the share'],
Http::STATUS_BAD_REQUEST
Expand Down
6 changes: 6 additions & 0 deletions apps/files_sharing/appinfo/routes.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@
'url' => '/shareinfo',
'verb' => 'POST',
],
[
'name' => 'ShareOTP#request',
'url' => '/s/{token}/requestotp',
'verb' => 'GET',
'root' => '',
],
[
'name' => 'Settings#setDefaultAccept',
'url' => '/settings/defaultAccept',
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
'OCA\\Files_Sharing\\Controller\\ShareController' => $baseDir . '/../lib/Controller/ShareController.php',
'OCA\\Files_Sharing\\Controller\\ShareInfoController' => $baseDir . '/../lib/Controller/ShareInfoController.php',
'OCA\\Files_Sharing\\Controller\\ShareesAPIController' => $baseDir . '/../lib/Controller/ShareesAPIController.php',
'OCA\\Files_Sharing\\Controller\\ShareOTPController' => $baseDir . '/../lib/Controller/ShareOTPController.php',
'OCA\\Files_Sharing\\DefaultPublicShareTemplateProvider' => $baseDir . '/../lib/DefaultPublicShareTemplateProvider.php',
'OCA\\Files_Sharing\\DeleteOrphanedSharesJob' => $baseDir . '/../lib/DeleteOrphanedSharesJob.php',
'OCA\\Files_Sharing\\Event\\BeforeTemplateRenderedEvent' => $baseDir . '/../lib/Event/BeforeTemplateRenderedEvent.php',
Expand Down Expand Up @@ -91,6 +92,7 @@
'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => $baseDir . '/../lib/Migration/Version33000Date20251030081948.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => $baseDir . '/../lib/Migration/Version33000Date20260306120000.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => $baseDir . '/../lib/Migration/Version33000Date20260306150000.php',
'OCA\\Files_Sharing\\Migration\\Version35000Date20260624183500' => $baseDir . '/../lib/Migration/Version35000Date20260624183500.php',
'OCA\\Files_Sharing\\MountProvider' => $baseDir . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => $baseDir . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ class ComposerStaticInitFiles_Sharing
'OCA\\Files_Sharing\\Controller\\ShareController' => __DIR__ . '/..' . '/../lib/Controller/ShareController.php',
'OCA\\Files_Sharing\\Controller\\ShareInfoController' => __DIR__ . '/..' . '/../lib/Controller/ShareInfoController.php',
'OCA\\Files_Sharing\\Controller\\ShareesAPIController' => __DIR__ . '/..' . '/../lib/Controller/ShareesAPIController.php',
'OCA\\Files_Sharing\\Controller\\ShareOTPController' => __DIR__ . '/..' . '/../lib/Controller/ShareOTPController.php',
'OCA\\Files_Sharing\\DefaultPublicShareTemplateProvider' => __DIR__ . '/..' . '/../lib/DefaultPublicShareTemplateProvider.php',
'OCA\\Files_Sharing\\DeleteOrphanedSharesJob' => __DIR__ . '/..' . '/../lib/DeleteOrphanedSharesJob.php',
'OCA\\Files_Sharing\\Event\\BeforeTemplateRenderedEvent' => __DIR__ . '/..' . '/../lib/Event/BeforeTemplateRenderedEvent.php',
Expand Down Expand Up @@ -106,6 +107,7 @@ class ComposerStaticInitFiles_Sharing
'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20251030081948.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306120000.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306150000.php',
'OCA\\Files_Sharing\\Migration\\Version35000Date20260624183500' => __DIR__ . '/..' . '/../lib/Migration/Version35000Date20260624183500.php',
'OCA\\Files_Sharing\\MountProvider' => __DIR__ . '/..' . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => __DIR__ . '/..' . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ public function isValidToken(): bool {

#[\Override]
protected function isPasswordProtected(): bool {
return $this->share->getPassword() !== null;
return $this->share->isPasswordProtected();
}

/**
Expand Down Expand Up @@ -181,7 +181,7 @@ public function directLink(string $token) {
}

// Password protected shares have no direct link!
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
return new DataResponse([], Http::STATUS_FORBIDDEN);
}

Expand Down
67 changes: 58 additions & 9 deletions apps/files_sharing/lib/Controller/ShareAPIController.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@
use OCP\Lock\LockedException;
use OCP\Mail\IEmailValidator;
use OCP\Mail\IMailer;
use OCP\OneTimePassword\IManager as IOTPManager;
use OCP\Security\ISecureRandom;
use OCP\Server;
use OCP\Share\Exceptions\GenericShareException;
use OCP\Share\Exceptions\ShareNotFound;
Expand Down Expand Up @@ -91,6 +93,7 @@ public function __construct(
string $appName,
IRequest $request,
private IManager $shareManager,
private IOTPManager $otpManager,
private IGroupManager $groupManager,
private IUserManager $userManager,
private IRootFolder $rootFolder,
Expand All @@ -109,6 +112,7 @@ public function __construct(
private ITagManager $tagManager,
private IEmailValidator $emailValidator,
private ?TrustedServers $trustedServers,
protected ISecureRandom $secureRandom,
private ?string $userId = null,
) {
parent::__construct($appName, $request);
Expand Down Expand Up @@ -342,6 +346,9 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
}
}

$result['otp_provider'] = $share->getOneTimePassword()?->getProviderId();
$result['otp_recipient'] = $share->getOneTimePassword()?->getRecipient();

$result['mail_send'] = $share->getMailSend() ? 1 : 0;
$result['hide_download'] = $share->getHideDownload() ? 1 : 0;

Expand Down Expand Up @@ -583,9 +590,11 @@ public function deleteShare(string $id): DataResponse {
* @param string $label Label for the share (only used in link and email)
* @param string|null $attributes Additional attributes for the share
* @param 'false'|'true'|null $sendMail Send a mail to the recipient
* @param ?string $otpProvider
* @param ?string $otpRecipient
*
* @return DataResponse<Http::STATUS_OK, Files_SharingShare, array{}>
* @throws OCSBadRequestException Unknown share type
* @throws OCSBadRequestException Unknown share type or invalid combination of arguments
* @throws OCSException
* @throws OCSForbiddenException Creating the share is not allowed
* @throws OCSNotFoundException Creating the share failed
Expand All @@ -608,6 +617,8 @@ public function createShare(
string $label = '',
?string $attributes = null,
?string $sendMail = null,
?string $otpProvider = null,
?string $otpRecipient = null,
): DataResponse {
assert($this->userId !== null);

Expand Down Expand Up @@ -736,11 +747,24 @@ public function createShare(
throw new OCSNotFoundException($this->l->t('Public link sharing is disabled by the administrator'));
}

$this->validateLinkSharePermissions($node, $permissions, $hasPublicUpload);
$this->validateLinkSharePermissions($node, $permissions, $hasPublicUpload, $otpRecipient !== null);
$share->setPermissions($permissions);

// Set password
if ($password !== '') {
if ($otpRecipient !== null) {
if ($otpProvider === null) {
throw new OCSBadRequestException($this->l->t('otpProvider must not be null if otpRecipient is given'));
}
if ($password !== '') {
throw new OCSBadRequestException($this->l->t('otpRecipient and password are mutually exclusive (but both were given)'));
}
$otp = $this->otpManager->createOTP($otpProvider, $otpRecipient);
$share->setOneTimePassword($otp);

// When using OTPs we still use the password internally to
// store it in the session after successful authentication
$password = $this->secureRandom->generate(32);
$share->setPassword($password);
} elseif ($password !== '') {
$share->setPassword($password);
}

Expand Down Expand Up @@ -1267,6 +1291,8 @@ public function updateShare(
?string $attributes = null,
?string $sendMail = null,
?string $token = null,
?string $otpProvider = null,
?string $otpRecipient = null,
): DataResponse {
try {
$share = $this->getShareById($id);
Expand Down Expand Up @@ -1335,9 +1361,29 @@ public function updateShare(
$share->setPermissions($permissions);
}

$passwordParamSent = $password !== null;
if ($passwordParamSent) {
if ($password === '') {
if ($otpRecipient !== null) {
if ($otpProvider === null) {
throw new OCSBadRequestException($this->l->t('otpProvider must not be null if otpRecipient is given'));
}
if ($password !== '' && $password !== null) {
throw new OCSBadRequestException($this->l->t('otpRecipient and password are mutually exclusive (but both were given)'));
}
$origOTP = $share->getOneTimePassword();
if ($origOTP->getProviderId() !== $otpProvider || $origOTP->getRecipient() !== $otpRecipient) {
$otp = $this->otpManager->createOTP($otpProvider, $otpRecipient);
$share->setOneTimePassword($otp);

// When using OTPs we still use the password internally to
// store it in the session after successful authentication
$password = $this->secureRandom->generate(32);
$share->setPassword($password);
}
} elseif ($password !== null) {
if ($share->getOneTimePassword() !== null) {
$deleteOtpId = $share->getOneTimePassword()->getId();
$share->setOneTimePassword(null);
}
if ($password === '' && $share->getOneTimePassword() !== null) {
$share->setPassword(null);
} else {
$share->setPassword($password);
Expand Down Expand Up @@ -2178,11 +2224,14 @@ public function sendShareEmail(string $id, $password = ''): DataResponse {
// the password clear, it is just a temporary
// object manipulation. The password will stay
// encrypted in the database.
if ($share->getPassword() !== null && $share->getPassword() !== $password) {
if (($share->getPassword() !== null && $share->getPassword() !== $password) || ($share->getOneTimePassword() !== null)) {
if (!$this->shareManager->checkPassword($share, $password)) {
throw new OCSBadRequestException($this->l->t('Wrong password'));
}
$share = $share->setPassword($password);
$share->setPassword($password);
if ($password !== null && $password !== '') {
$share->setOneTimePassword(null);
}
}

$provider->sendMailNotification($share);
Expand Down
37 changes: 33 additions & 4 deletions apps/files_sharing/lib/Controller/ShareController.php
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,17 @@
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserManager;
use OCP\OneTimePassword\IManager as IOTPManager;
use OCP\Security\Events\GenerateSecurePasswordEvent;
use OCP\Security\IHasher;
use OCP\Security\ISecureRandom;
use OCP\Security\PasswordContext;
use OCP\Share;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager as ShareManager;
use OCP\Share\IPublicShareTemplateFactory;
use OCP\Share\IShare;
use Psr\Log\LoggerInterface;

/**
* @package OCA\Files_Sharing\Controllers
Expand Down Expand Up @@ -78,10 +81,30 @@ public function __construct(
protected ISecureRandom $secureRandom,
protected Defaults $defaults,
private IPublicShareTemplateFactory $publicShareTemplateFactory,
private LoggerInterface $logger,
private IHasher $hasher,
private IOTPManager $otpManager,
) {
parent::__construct($appName, $request, $session, $urlGenerator);
}

private function getOtpProviderInfo(): array {
$otpProvider = null;
$otpProviderInfo = null;
if ($this->share->getOneTimePassword() !== null) {
$otpProvider = $this->otpManager->getOTPProviderById($this->share->getOneTimePassword()->getProviderId());
}
if ($otpProvider !== null) {
$otpProviderInfo = [
'name' => $otpProvider->getName(),
'description' => $otpProvider->getDescription(),
'recipientPattern' => $otpProvider->getRecipientPattern(),
'maskedRecipient' => $otpProvider->maskRecipient($this->share->getOneTimePassword()->getRecipient()),
];
}
return $otpProviderInfo;
}

/**
* Show the authentication page
* The form has to submit to the authenticate method route
Expand All @@ -90,7 +113,7 @@ public function __construct(
#[PublicPage]
#[NoCSRFRequired]
public function showAuthenticate(): TemplateResponse {
$templateParameters = ['share' => $this->share];
$templateParameters = ['share' => $this->share, 'otpInfo' => $this->getOtpProviderInfo()];

$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));

Expand All @@ -102,7 +125,7 @@ public function showAuthenticate(): TemplateResponse {
*/
#[\Override]
protected function showAuthFailed(): TemplateResponse {
$templateParameters = ['share' => $this->share, 'wrongpw' => true];
$templateParameters = ['share' => $this->share, 'wrongpw' => true, 'otpInfo' => $this->getOtpProviderInfo()];

$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));

Expand All @@ -114,7 +137,7 @@ protected function showAuthFailed(): TemplateResponse {
*/
#[\Override]
protected function showIdentificationResult(bool $success = false): TemplateResponse {
$templateParameters = ['share' => $this->share, 'identityOk' => $success];
$templateParameters = ['share' => $this->share, 'identityOk' => $success, 'otpInfo' => $this->getOtpProviderInfo()];

$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));

Expand Down Expand Up @@ -176,7 +199,7 @@ public function isValidToken(): bool {

#[\Override]
protected function isPasswordProtected(): bool {
return $this->share->getPassword() !== null;
return $this->share->isPasswordProtected();
}

#[\Override]
Expand All @@ -191,6 +214,12 @@ protected function authSucceeded() {
$allowedShareIds = [];
}

$otp = $this->share->getOneTimePassword();
if($otp !== null) {
$otp->setPassword(null);
$this->otpManager->updateOTP($otp);
}

$this->session->set(PublicAuth::DAV_AUTHENTICATED, array_merge($allowedShareIds, [$this->share->getId()]));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public function info(string $t, ?string $password = null, ?string $dir = null, i
return $response;
}

if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) {
if ($share->isPasswordProtected() && !$this->shareManager->checkPassword($share, $password)) {
$response = new JSONResponse([], Http::STATUS_FORBIDDEN);
$response->throttle(['token' => $t]);
return $response;
Expand Down
Loading