Skip to content

Implement IProvideUserSecretBackend compatibility for per-user encryption #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Implement IProvideUserSecretBackend compatibility for per-user encryption #697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/SAMLSettings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ class SAMLSettings {
'saml-attribute-mapping-home_mapping',
'saml-attribute-mapping-quota_mapping',
'saml-attribute-mapping-mfa_mapping',
'saml-attribute-mapping-user_secret_mapping',
'saml-user-filter-reject_groups',
'saml-user-filter-require_groups',
'sp-x509cert',
Expand Down
6 changes: 5 additions & 1 deletion lib/Settings/Admin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,11 @@ public function getForm() {
'type' => 'line',
'required' => false,
],

'user_secret_mapping' => [
'text' => $this->l10n->t('Attribute to use as user secret e.g. for the encryption app.'),
'type' => 'line',
'required' => false,
],
];

$userFilterSettings = [
Expand Down
111 changes: 94 additions & 17 deletions lib/UserBackend.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

use OCP\Authentication\IApacheBackend;
use OCP\EventDispatcher\GenericEvent;
use OCP\Authentication\IProvideUserSecretBackend;
use OCP\EventDispatcher\IEventDispatcher;
use OCP\Files\NotPermittedException;
use OCP\IConfig;
Expand All @@ -40,7 +41,7 @@
use OCP\User\Events\UserChangedEvent;
use OCP\UserInterface;

class UserBackend implements IApacheBackend, UserInterface, IUserBackend, IGetDisplayNameBackend {
class UserBackend implements IApacheBackend, UserInterface, IUserBackend, IGetDisplayNameBackend, IProvideUserSecretBackend {
/** @var IConfig */
private $config;
/** @var IURLGenerator */
Expand Down Expand Up @@ -148,10 +149,63 @@ public function createUserIfNotExists($uid, array $attributes = []) {
}
$qb->execute();

// If we use per-user encryption the keys must be initialized first
$userSecret = $this->getUserSecret($uid, $attributes);
if ($userSecret !== null) {
$this->updateUserSecretHash($uid, $userSecret);
// Emit a post login action to initialize the encryption module with the user secret provided by the idp.
\OC_Hook::emit('OC_User', 'post_login', ['run' => true, 'uid' => $uid, 'password' => $userSecret, 'isTokenLogin' => false]);
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please dispatch the typed event \OCP\User\Events\PostLoginEvent instead of deprecated OC_Hook::emit(…).

}
$this->initializeHomeDir($uid);
}
}

private function getUserSecretHash($uid) {
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private function getUserSecretHash($uid) {
private function getUserSecretHashes($uid): array {

may return up to ten, should be reflected in the name. Is 10 an arbitrary number, or where does it come from?

$qb = $this->db->getQueryBuilder();
$qb->select('token')
->from('user_saml_auth_token')
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
->andWhere($qb->expr()->eq('name', $qb->createNamedParameter('sso_secret_hash')))
->setMaxResults(10);
$result = $qb->execute();
$data = $result->fetchAll();
$result->closeCursor();
return $data;
}

private function checkUserSecretHash($uid, $userSecret) {
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private function checkUserSecretHash($uid, $userSecret) {
private function checkUserSecretHash($uid, $userSecret): bool {

$data = $this->getUserSecretHash($uid);
foreach($data as $row) {
$storedHash = $row['token'];
if (\OC::$server->getHasher()->verify($userSecret, $storedHash, $newHash)) {
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use ' \OCP\Server::get(OCP\Security\IHasher::class)over deprecated and private\OC::$server->getHasher()`. Also on in the other places.

if (!empty($newHash)) {
$this->updateUserSecretHash($uid, $userSecret, true);
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mh, the function is said to check the hash, not update it.

}
return true;
}
}
return false;
}

private function updateUserSecretHash($uid, $userSecret, $exists = false) {
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private function updateUserSecretHash($uid, $userSecret, $exists = false) {
private function updateUserSecretHash($uid, $userSecret, $exists = false): bool {

$qb = $this->db->getQueryBuilder();
$hash = \OC::$server->getHasher()->hash($userSecret);
if ($exists || count($this->getUserSecretHash($uid)) > 0) {
$qb->update('user_saml_auth_token')
->set('token', $qb->createNamedParameter($hash))
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
->andWhere($qb->expr()->eq('name', $qb->createNamedParameter('sso_secret_hash')));
} else {
$qb->insert('user_saml_auth_token')
->values([
'uid' => $qb->createNamedParameter($uid),
'token' => $qb->createNamedParameter($hash),
'name' => $qb->createNamedParameter('sso_secret_hash'),
]);
}
return $qb->execute();
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return $qb->execute();
return $qb->executeStatement() > 0;

}

/**
* @param string $uid
* @throws \OCP\Files\NotFoundException
Expand Down Expand Up @@ -195,22 +249,15 @@ public function implementsActions($actions) {
* @return string
*
* Check if the password is correct without logging in the user
* returns the user id or false
* returns the user id or false.
*
* By default user_saml tokens are passwordless and this function
* is unused. It is only called if we have tokens with passwords,
* which happens if we have SSO provided user secrets.
*/
public function checkPassword($uid, $password) {
$qb = $this->db->getQueryBuilder();
$qb->select('token')
->from('user_saml_auth_token')
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
->setMaxResults(1000);
$result = $qb->execute();
$data = $result->fetchAll();
$result->closeCursor();

foreach ($data as $passwords) {
if (password_verify($password, $passwords['token'])) {
return $uid;
}
if ($this->checkUserSecretHash($uid, $password)) {
return $uid;
}

return false;
Expand Down Expand Up @@ -508,6 +555,16 @@ public function getCurrentUserId() {
return '';
}

/**
* Optionally returns a stable per-user secret. This secret is for
* instance used to secure file encryption keys.
* @return string|null
* @since 26.0.0
*/
public function getCurrentUserSecret(): string {
$samlData = $this->session->get('user_saml.samlUserData');
return $this->getUserSecret($this->getCurrentUserId(), $samlData);
}

/**
* Backend name to be shown in user management
Expand Down Expand Up @@ -608,6 +665,21 @@ private function getAttributeArrayValue($name, array $attributes) {
return $value;
}

private function getUserSecret($uid, array $attributes) {
Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$uid is unused and can be removed.

Copy link
Member

@blizzz blizzz Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private function getUserSecret($uid, array $attributes) {
private function getUserSecret(array $attributes): ?string {

try {
$userSecret = $this->getAttributeValue('saml-attribute-mapping-user_secret_mapping', $attributes);
if ($userSecret === '') {
$this->logger->debug('Got no user_secret from idp', ['app' => 'user_saml']);
} else {
$this->logger->debug('Got user_secret from idp', ['app' => 'user_saml']);
return $userSecret;
}
} catch (\InvalidArgumentException $e) {
$this->logger->debug('No user_secret mapping configured', ['app' => 'user_saml']);
}
return null;
}

public function updateAttributes($uid,
array $attributes) {
$user = $this->userManager->get($uid);
Expand Down Expand Up @@ -679,11 +751,16 @@ public function updateAttributes($uid,
$groupManager->get($group)->removeUser($user);
}
}

$userSecret = $this->getUserSecret($uid, $attributes);
if ($userSecret !== null) {
if (!$this->checkUserSecretHash($uid, $userSecret)) {
$this->updateUserSecretHash($uid, $userSecret);
}
}
}
}



public function countUsers() {
$query = $this->db->getQueryBuilder();
$query->select($query->func()->count('uid'))
Expand Down