Support signed urls

DeepDiver1975 · DeepDiver1975 · commit db2cad61ceb6 · 2020-07-06T08:36:43.000+02:00
diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php
@@ -39,6 +39,7 @@
 	\OC::$server->getRequest(),
 	\OC::$server->getTwoFactorAuthManager(),
 	\OC::$server->getAccountModuleManager(),
+	\OC::$server->getConfig(),
 	'principals/'
 );
 $principalBackend = new Principal(
diff --git a/apps/dav/appinfo/v1/carddav.php b/apps/dav/appinfo/v1/carddav.php
@@ -39,6 +39,7 @@
 	\OC::$server->getRequest(),
 	\OC::$server->getTwoFactorAuthManager(),
 	\OC::$server->getAccountModuleManager(),
+	\OC::$server->getConfig(),
 	'principals/'
 );
 $principalBackend = new Principal(
diff --git a/apps/dav/appinfo/v1/webdav.php b/apps/dav/appinfo/v1/webdav.php
@@ -48,6 +48,7 @@
 	\OC::$server->getRequest(),
 	\OC::$server->getTwoFactorAuthManager(),
 	\OC::$server->getAccountModuleManager(),
+	\OC::$server->getConfig(),
 	'principals/'
 );
 $requestUri = \OC::$server->getRequest()->getRequestUri();
diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -29,15 +29,16 @@
  */
 namespace OCA\DAV\Connector\Sabre;
 
-use Exception;
 use OC\AppFramework\Http\Request;
 use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
 use OC\Authentication\TwoFactorAuth\Manager;
 use OC\Authentication\AccountModule\Manager as AccountModuleManager;
+use OC\Security\SignedUrl\Verifier;
 use OC\User\LoginException;
 use OC\User\Session;
 use OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden;
 use OCP\Authentication\Exceptions\AccountCheckException;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use Sabre\DAV\Auth\Backend\AbstractBasic;
@@ -47,34 +48,38 @@
 use Sabre\HTTP\ResponseInterface;
 
 class Auth extends AbstractBasic {
-	const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
+	public const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
 
 	/** @var ISession */
 	private $session;
 	/** @var Session */
 	private $userSession;
 	/** @var IRequest */
 	private $request;
-	/** @var string */
-	private $currentUser;
 	/** @var Manager */
 	private $twoFactorManager;
 	/** @var AccountModuleManager */
 	private $accountModuleManager;
+	/**
+	 * @var IConfig
+	 */
+	private $config;
 
 	/**
 	 * @param ISession $session
 	 * @param Session $userSession
 	 * @param IRequest $request
 	 * @param Manager $twoFactorManager
 	 * @param AccountModuleManager $accountModuleManager
+	 * @param IConfig $config
 	 * @param string $principalPrefix
 	 */
 	public function __construct(ISession $session,
 								Session $userSession,
 								IRequest $request,
 								Manager $twoFactorManager,
 								AccountModuleManager $accountModuleManager,
+								IConfig $config,
 								$principalPrefix = 'principals/users/') {
 		$this->session = $session;
 		$this->userSession = $userSession;
@@ -86,6 +91,7 @@ public function __construct(ISession $session,
 		// setup realm
 		$defaults = new \OC_Defaults();
 		$this->realm = $defaults->getName();
+		$this->config = $config;
 	}
 
 	/**
@@ -158,7 +164,7 @@ public function check(RequestInterface $request, ResponseInterface $response) {
 			throw new NotAuthenticated($e->getMessage(), $e->getCode(), $e);
 		} catch (NotAuthenticated $e) {
 			throw $e;
-		} catch (Exception $e) {
+		} catch (\Exception $e) {
 			$class = \get_class($e);
 			$msg = $e->getMessage();
 			throw new ServiceUnavailable("$class: $msg");
@@ -205,6 +211,7 @@ private function requiresCSRFCheck() {
 	 * @return array
 	 * @throws NotAuthenticated
 	 * @throws ServiceUnavailable
+	 * @throws LoginException
 	 */
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		$forcedLogout = false;
@@ -230,7 +237,6 @@ private function auth(RequestInterface $request, ResponseInterface $response) {
 				$this->checkAccountModule($user);
 				$uid = $user->getUID();
 				\OC_Util::setupFS($uid);
-				$this->currentUser = $uid;
 				$this->session->close();
 				return [true, $this->principalPrefix . $uid];
 			}
@@ -246,14 +252,37 @@ private function auth(RequestInterface $request, ResponseInterface $response) {
 			$startPos = \strrpos($data[1], '/') + 1;
 			$data[1] = \substr_replace($data[1], $user->getUID(), $startPos);
 		}
+
+		// signed url handling
+		$verifier = new Verifier($request, $this->config);
+		if ($verifier->isSignedRequest()) {
+			if (!$verifier->signedRequestIsValid()) {
+				return [false, 'Invalid url signature'];
+			}
+			// TODO: setup session ???
+			$urlCredential = $verifier->getUrlCredential();
+			$user = \OC::$server->getUserManager()->get($urlCredential);
+			if ($user === null) {
+				$message = \OC::$server->getL10N('dav')->t('User unknown');
+				throw new LoginException($message);
+			}
+			if (!$user->isEnabled()) {
+				$message = \OC::$server->getL10N('dav')->t('User disabled');
+				throw new LoginException($message);
+			}
+			$this->userSession->setUser($user);
+			\OC_Util::setupFS($urlCredential);
+			$this->session->close();
+			return [true, $this->principalPrefix . $urlCredential];
+		}
 		return $data;
 	}
 
 	/**
 	 * @param $user
 	 * @throws ServiceUnavailable
 	 */
-	private function checkAccountModule($user) {
+	private function checkAccountModule($user): void {
 		if ($user === null) {
 			throw new \UnexpectedValueException('No user in session');
 		}
@@ -264,7 +293,7 @@ private function checkAccountModule($user) {
 		}
 	}
 
-	public function challenge(RequestInterface $request, ResponseInterface $response) {
+	public function challenge(RequestInterface $request, ResponseInterface $response): void {
 		$schema = 'Basic';
 		// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
 		if (\in_array('XMLHttpRequest', \explode(',', $request->getHeader('X-Requested-With')), true)) {
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
@@ -119,7 +119,8 @@ public function __construct(IRequest $request, $baseUri) {
 			OC::$server->getUserSession(),
 			OC::$server->getRequest(),
 			OC::$server->getTwoFactorAuthManager(),
-			OC::$server->getAccountModuleManager()
+			OC::$server->getAccountModuleManager(),
+			\OC::$server->getConfig()
 		);
 
 		// Set URL explicitly due to reverse-proxy situations
diff --git a/apps/dav/tests/unit/Connector/Sabre/AuthTest.php b/apps/dav/tests/unit/Connector/Sabre/AuthTest.php
@@ -33,6 +33,7 @@
 use OC\User\LoginException;
 use OC\User\Session;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUser;
@@ -61,6 +62,10 @@ class AuthTest extends TestCase {
 	private $twoFactorManager;
 	/** @var AccountModuleManager | MockObject */
 	private $accountModuleManager;
+	/**
+	 * @var IConfig|MockObject
+	 */
+	private $config;
 
 	public function setUp(): void {
 		parent::setUp();
@@ -69,12 +74,14 @@ public function setUp(): void {
 		$this->request = $this->createMock(IRequest::class);
 		$this->twoFactorManager = $this->createMock(Manager::class);
 		$this->accountModuleManager = $this->createMock(AccountModuleManager::class);
+		$this->config = $this->createMock(IConfig::class);
 		$this->auth = new Auth(
 			$this->session,
 			$this->userSession,
 			$this->request,
 			$this->twoFactorManager,
-			$this->accountModuleManager
+			$this->accountModuleManager,
+			$this->config
 		);
 	}
 
diff --git a/core/Controller/CloudController.php b/core/Controller/CloudController.php
@@ -71,4 +71,25 @@ public function getCurrentUser() {
 		];
 		return ['data' => $data];
 	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 * @CORS
+	 *
+	 * @return array
+	 * @throws \OCP\PreConditionNotMetException
+	 */
+	public function getSigningKey(): array {
+		$userId = \OC_User::getUser();
+		$signingKey = \OC::$server->getConfig()->getUserValue($userId, 'core', 'signing-key', null);
+		if ($signingKey === null) {
+			$signingKey = \OC::$server->getSecureRandom()->generate(64);
+			\OC::$server->getConfig()->setUserValue($userId, 'core', 'signing-key', $signingKey, null);
+		}
+		return ['data' => [
+			'user' => $userId,
+			'signing-key' => $signingKey
+		]];
+	}
 }
diff --git a/core/routes.php b/core/routes.php
@@ -59,6 +59,7 @@
 	'ocs' => [
 		['root' => '/cloud', 'name' => 'Cloud#getCapabilities', 'url' => '/capabilities', 'verb' => 'GET'],
 		['root' => '/cloud', 'name' => 'Cloud#getCurrentUser', 'url' => '/user', 'verb' => 'GET'],
+		['root' => '/cloud', 'name' => 'Cloud#getSigningKey', 'url' => '/user/signing-key', 'verb' => 'GET'],
 		['root' => '/cloud', 'name' => 'Roles#getRoles', 'url' => '/roles', 'verb' => 'GET'],
 		['root' => '/cloud', 'name' => 'UserSync#syncUser', 'url' => '/user-sync/{userId}', 'verb' => 'POST'],
 	]
diff --git a/lib/private/OCS/CoreCapabilities.php b/lib/private/OCS/CoreCapabilities.php
@@ -54,6 +54,7 @@ public function getCapabilities() {
 				'pollinterval' => $this->config->getSystemValue('pollinterval', 60),
 				'webdav-root' => $this->config->getSystemValue('webdav-root', 'remote.php/webdav'),
 				'status' => Util::getStatusInfo(true),
+				'support-url-signing' => true,
 			]
 		];
 	}
diff --git a/lib/private/Security/SignedUrl/Verifier.php b/lib/private/Security/SignedUrl/Verifier.php
@@ -0,0 +1,105 @@
+<?php
+/**
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ *
+ * @copyright Copyright (c) 2020, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Security\SignedUrl;
+
+use OCP\IConfig;
+use Sabre\HTTP\RequestInterface;
+
+class Verifier {
+
+	/**
+	 * @var RequestInterface
+	 */
+	private $request;
+	/**
+	 * @var IConfig
+	 */
+	private $config;
+	/**
+	 * @var \DateTime|null
+	 */
+	private $now;
+
+	public function __construct(RequestInterface $request, IConfig $config, \DateTime $now = null) {
+		$this->request = $request;
+		$this->config = $config;
+		$this->now = $now ?? new \DateTime();
+	}
+
+	public function isSignedRequest(): bool {
+		$params = $this->getQueryParameters();
+		return isset($params['OC-Signature']);
+	}
+
+	public function signedRequestIsValid(): bool {
+		$params = $this->getQueryParameters();
+		if (!isset($params['OC-Signature'], $params['OC-Credential'], $params['OC-Date'], $params['OC-Expires'], $params['OC-Verb'])) {
+			return false;
+		}
+		$urlSignature = $params['OC-Signature'];
+		$urlCredential = $params['OC-Credential'];
+		$urlDate = $params['OC-Date'];
+		$urlExpires = $params['OC-Expires'];
+		$urlVerb = $params['OC-Verb'];
+
+		unset($params['OC-Signature']);
+
+		$qp = \http_build_query($params);
+		$url =  \Sabre\Uri\parse($this->getAbsoluteUrl());
+		$url['query'] = $qp;
+		$url = \Sabre\Uri\build($url);
+
+		$signingKey = $this->config->getUserValue($urlCredential, 'core', 'signing-key');
+
+		$hash = \hash_pbkdf2("sha512", $url, $signingKey, 10000, 64, false);
+		if ($hash !== $urlSignature) {
+			return false;
+		}
+		if (\strtoupper($this->getMethod()) !== \strtoupper($urlVerb)) {
+			return false;
+		}
+		$date = new \DateTime($urlDate);
+		$date->add(new \DateInterval("PT${urlExpires}S"));
+		return !($date < $this->now);
+	}
+
+	private function getQueryParameters(): array {
+		return $this->request->getQueryParameters();
+	}
+
+	public function getUrlCredential(): string {
+		$params = $this->getQueryParameters();
+		if (!isset($params['OC-Credential'])) {
+			throw new \LogicException('OC-Credential not set');
+		}
+
+		return $params['OC-Credential'];
+	}
+
+	private function getAbsoluteUrl(): string {
+		return $this->request->getAbsoluteUrl();
+	}
+
+	private function getMethod(): string {
+		return $this->request->getMethod();
+	}
+}
diff --git a/tests/lib/Security/SignedUrl/VerifierTest.php b/tests/lib/Security/SignedUrl/VerifierTest.php

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@`
`59`	`59`	`'ocs' => [`
`60`	`60`	`['root' => '/cloud', 'name' => 'Cloud#getCapabilities', 'url' => '/capabilities', 'verb' => 'GET'],`
`61`	`61`	`['root' => '/cloud', 'name' => 'Cloud#getCurrentUser', 'url' => '/user', 'verb' => 'GET'],`
	`62`	`+ ['root' => '/cloud', 'name' => 'Cloud#getSigningKey', 'url' => '/user/signing-key', 'verb' => 'GET'],`
`62`	`63`	`['root' => '/cloud', 'name' => 'Roles#getRoles', 'url' => '/roles', 'verb' => 'GET'],`
`63`	`64`	`['root' => '/cloud', 'name' => 'UserSync#syncUser', 'url' => '/user-sync/{userId}', 'verb' => 'POST'],`
`64`	`65`	`]`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ public function getCapabilities() {`
`54`	`54`	`'pollinterval' => $this->config->getSystemValue('pollinterval', 60),`
`55`	`55`	`'webdav-root' => $this->config->getSystemValue('webdav-root', 'remote.php/webdav'),`
`56`	`56`	`'status' => Util::getStatusInfo(true),`
	`57`	`+ 'support-url-signing' => true,`
`57`	`58`	`]`
`58`	`59`	`];`
`59`	`60`	`}`